CodeQL documentation

CodeQL full CWE coverage

An overview of the full coverage of MITRE’s Common Weakness Enumeration (CWE) for the latest release of CodeQL.

Overview

CWE Language Query id Query name
CWE‑11 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑12 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑13 C# cs/password-in-configuration Password in configuration file
CWE‑14 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑20 C++ cpp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 C++ cpp/count-untrusted-data-external-api-ir Frequency counts for external APIs that are used with untrusted data
CWE‑20 C++ cpp/untrusted-data-to-external-api-ir Untrusted data passed to external API
CWE‑20 C++ cpp/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑20 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑20 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑20 C++ cpp/late-check-of-function-argument Late Check Of Function Argument
CWE‑20 C++ cpp/linux-kernel-no-check-before-unsafe-put-user Linux kernel no check before unsafe_put_user vulnerability detection
CWE‑20 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 C# cs/serialization-check-bypass Serialization check bypass
CWE‑20 C# cs/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 C# cs/xml/missing-validation Missing XML validation
CWE‑20 C# cs/assembly-path-injection Assembly path injection
CWE‑20 Java java/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Java java/overly-large-range Overly permissive regular expression range
CWE‑20 Java java/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑20 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑20 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑20 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑20 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑20 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑20 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑20 JavaScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 JavaScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑20 JavaScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 JavaScript js/incorrect-suffix-check Incorrect suffix check
CWE‑20 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑20 JavaScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 JavaScript js/overly-large-range Overly permissive regular expression range
CWE‑20 JavaScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 JavaScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE‑20 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑20 JavaScript js/double-escaping Double escaping or unescaping
CWE‑20 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑20 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑20 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑20 Python py/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Python py/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Python py/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Python py/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 Python py/overly-large-range Overly permissive regular expression range
CWE‑20 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑20 Default go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Default go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Default go/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑20 Default go/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 Default go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE‑20 Default go/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Default go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE‑20 Default rb/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Default rb/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 Default rb/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 Default rb/overly-large-range Overly permissive regular expression range
CWE‑20 Default rb/bad-tag-filter Bad HTML filtering regexp
CWE‑20 Default rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑20 Default rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑22 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑22 C# cs/path-injection Uncontrolled data used in path expression
CWE‑22 C# cs/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑22 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑22 Java java/path-injection Uncontrolled data used in path expression
CWE‑22 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑22 Java java/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑22 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑22 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑22 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑22 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑22 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑22 Python py/path-injection Uncontrolled data used in path expression
CWE‑22 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑22 Python py/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑22 Default go/path-injection Uncontrolled data used in path expression
CWE‑22 Default go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑22 Default go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑22 Default rb/path-injection Uncontrolled data used in path expression
CWE‑23 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑23 C# cs/path-injection Uncontrolled data used in path expression
CWE‑23 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑23 Java java/path-injection Uncontrolled data used in path expression
CWE‑23 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑23 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑23 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑23 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑23 Python py/path-injection Uncontrolled data used in path expression
CWE‑23 Default go/path-injection Uncontrolled data used in path expression
CWE‑23 Default rb/path-injection Uncontrolled data used in path expression
CWE‑36 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑36 C# cs/path-injection Uncontrolled data used in path expression
CWE‑36 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑36 Java java/path-injection Uncontrolled data used in path expression
CWE‑36 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑36 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑36 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑36 Python py/path-injection Uncontrolled data used in path expression
CWE‑36 Default go/path-injection Uncontrolled data used in path expression
CWE‑36 Default rb/path-injection Uncontrolled data used in path expression
CWE‑73 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑73 C# cs/path-injection Uncontrolled data used in path expression
CWE‑73 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑73 Java java/path-injection Uncontrolled data used in path expression
CWE‑73 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑73 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑73 JavaScript js/template-object-injection Template Object Injection
CWE‑73 Python py/path-injection Uncontrolled data used in path expression
CWE‑73 Default go/path-injection Uncontrolled data used in path expression
CWE‑73 Default rb/path-injection Uncontrolled data used in path expression
CWE‑73 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑74 C++ cpp/non-constant-format Non-constant format string
CWE‑74 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑74 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑74 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑74 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑74 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑74 C# cs/path-injection Uncontrolled data used in path expression
CWE‑74 C# cs/command-line-injection Uncontrolled command line
CWE‑74 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑74 C# cs/web/stored-xss Stored cross-site scripting
CWE‑74 C# cs/web/xss Cross-site scripting
CWE‑74 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑74 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑74 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑74 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑74 C# cs/xml-injection XML injection
CWE‑74 C# cs/code-injection Improper control of generation of code
CWE‑74 C# cs/resource-injection Resource injection
CWE‑74 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑74 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑74 C# cs/xml/xpath-injection XPath injection
CWE‑74 C# cs/web/disabled-header-checking Header checking disabled
CWE‑74 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑74 Java java/jndi-injection JNDI lookup with user-controlled name
CWE‑74 Java java/xslt-injection XSLT transformation with user-controlled stylesheet
CWE‑74 Java java/relative-path-command Executing a command with a relative path
CWE‑74 Java java/command-line-injection Uncontrolled command line
CWE‑74 Java java/command-line-injection-local Local-user-controlled command line
CWE‑74 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑74 Java java/xss Cross-site scripting
CWE‑74 Java java/xss-local Cross-site scripting from local source
CWE‑74 Java java/sql-injection Query built from user-controlled sources
CWE‑74 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑74 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑74 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑74 Java java/groovy-injection Groovy Language injection
CWE‑74 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑74 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑74 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑74 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑74 Java java/server-side-template-injection Server-side template injection
CWE‑74 Java java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE‑74 Java java/http-response-splitting HTTP response splitting
CWE‑74 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑74 Java java/tainted-format-string Use of externally-controlled format string
CWE‑74 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑74 Java java/xml/xpath-injection XPath injection
CWE‑74 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑74 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑74 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑74 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑74 Java java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE‑74 Java java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE‑74 Java java/beanshell-injection BeanShell injection
CWE‑74 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑74 Java java/jshell-injection JShell injection
CWE‑74 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑74 Java java/jython-injection Injection in Jython
CWE‑74 Java java/unsafe-eval Injection in Java Script Engine
CWE‑74 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑74 Java java/spring-view-manipulation Spring View Manipulation
CWE‑74 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑74 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑74 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑74 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑74 JavaScript js/template-object-injection Template Object Injection
CWE‑74 JavaScript js/command-line-injection Uncontrolled command line
CWE‑74 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑74 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑74 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑74 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑74 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑74 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑74 JavaScript js/stored-xss Stored cross-site scripting
CWE‑74 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑74 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑74 JavaScript js/xss Client-side cross-site scripting
CWE‑74 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑74 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑74 JavaScript js/code-injection Code injection
CWE‑74 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑74 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑74 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑74 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑74 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑74 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑74 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑74 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑74 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑74 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑74 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑74 JavaScript js/xpath-injection XPath injection
CWE‑74 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑74 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑74 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑74 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑74 Python py/path-injection Uncontrolled data used in path expression
CWE‑74 Python py/command-line-injection Uncontrolled command line
CWE‑74 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑74 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑74 Python py/sql-injection SQL query built from user-controlled sources
CWE‑74 Python py/ldap-injection LDAP query built from user-controlled sources
CWE‑74 Python py/code-injection Code injection
CWE‑74 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑74 Python py/template-injection Server Side Template Injection
CWE‑74 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑74 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑74 Python py/header-injection HTTP Header Injection
CWE‑74 Python py/nosql-injection NoSQL Injection
CWE‑74 Default go/path-injection Uncontrolled data used in path expression
CWE‑74 Default go/command-injection Command built from user-controlled sources
CWE‑74 Default go/stored-command Command built from stored data
CWE‑74 Default go/reflected-xss Reflected cross-site scripting
CWE‑74 Default go/stored-xss Stored cross-site scripting
CWE‑74 Default go/sql-injection Database query built from user-controlled sources
CWE‑74 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑74 Default go/xml/xpath-injection XPath injection
CWE‑74 Default go/ldap-injection LDAP query built from user-controlled sources
CWE‑74 Default go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑74 Default rb/path-injection Uncontrolled data used in path expression
CWE‑74 Default rb/command-line-injection Uncontrolled command line
CWE‑74 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑74 Default rb/reflected-xss Reflected server-side cross-site scripting
CWE‑74 Default rb/stored-xss Stored cross-site scripting
CWE‑74 Default rb/sql-injection SQL query built from user-controlled sources
CWE‑74 Default rb/code-injection Code injection
CWE‑74 Default rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑74 Default rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑74 Default rb/tainted-format-string Use of externally-controlled format string
CWE‑77 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑77 C# cs/command-line-injection Uncontrolled command line
CWE‑77 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑77 Java java/relative-path-command Executing a command with a relative path
CWE‑77 Java java/command-line-injection Uncontrolled command line
CWE‑77 Java java/command-line-injection-local Local-user-controlled command line
CWE‑77 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑77 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑77 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑77 JavaScript js/command-line-injection Uncontrolled command line
CWE‑77 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑77 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑77 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑77 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑77 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑77 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑77 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑77 Python py/command-line-injection Uncontrolled command line
CWE‑77 Default go/command-injection Command built from user-controlled sources
CWE‑77 Default go/stored-command Command built from stored data
CWE‑77 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑77 Default rb/command-line-injection Uncontrolled command line
CWE‑77 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑78 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑78 C# cs/command-line-injection Uncontrolled command line
CWE‑78 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑78 Java java/relative-path-command Executing a command with a relative path
CWE‑78 Java java/command-line-injection Uncontrolled command line
CWE‑78 Java java/command-line-injection-local Local-user-controlled command line
CWE‑78 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑78 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑78 JavaScript js/command-line-injection Uncontrolled command line
CWE‑78 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑78 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑78 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑78 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑78 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑78 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑78 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑78 Python py/command-line-injection Uncontrolled command line
CWE‑78 Default go/command-injection Command built from user-controlled sources
CWE‑78 Default go/stored-command Command built from stored data
CWE‑78 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑78 Default rb/command-line-injection Uncontrolled command line
CWE‑78 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑79 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑79 C# cs/web/stored-xss Stored cross-site scripting
CWE‑79 C# cs/web/xss Cross-site scripting
CWE‑79 Java java/xss Cross-site scripting
CWE‑79 Java java/xss-local Cross-site scripting from local source
CWE‑79 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑79 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑79 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑79 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑79 JavaScript js/stored-xss Stored cross-site scripting
CWE‑79 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑79 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑79 JavaScript js/xss Client-side cross-site scripting
CWE‑79 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑79 JavaScript js/code-injection Code injection
CWE‑79 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑79 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑79 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑79 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑79 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑79 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑79 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑79 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑79 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑79 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑79 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑79 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑79 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑79 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑79 Python py/header-injection HTTP Header Injection
CWE‑79 Default go/reflected-xss Reflected cross-site scripting
CWE‑79 Default go/stored-xss Stored cross-site scripting
CWE‑79 Default go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑79 Default rb/reflected-xss Reflected server-side cross-site scripting
CWE‑79 Default rb/stored-xss Stored cross-site scripting
CWE‑79 Default rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑79 Default rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑80 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑80 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑80 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑80 Default rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑80 Default rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑88 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑88 C# cs/command-line-injection Uncontrolled command line
CWE‑88 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑88 Java java/relative-path-command Executing a command with a relative path
CWE‑88 Java java/command-line-injection Uncontrolled command line
CWE‑88 Java java/command-line-injection-local Local-user-controlled command line
CWE‑88 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑88 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑88 JavaScript js/command-line-injection Uncontrolled command line
CWE‑88 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑88 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑88 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑88 Python py/command-line-injection Uncontrolled command line
CWE‑88 Default rb/command-line-injection Uncontrolled command line
CWE‑88 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑89 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑89 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑89 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑89 Java java/sql-injection Query built from user-controlled sources
CWE‑89 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑89 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑89 Java java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE‑89 Java java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE‑89 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑89 Python py/sql-injection SQL query built from user-controlled sources
CWE‑89 Default go/sql-injection Database query built from user-controlled sources
CWE‑89 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑89 Default rb/sql-injection SQL query built from user-controlled sources
CWE‑90 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑90 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑90 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑90 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑90 Python py/ldap-injection LDAP query built from user-controlled sources
CWE‑90 Default go/ldap-injection LDAP query built from user-controlled sources
CWE‑91 C# cs/xml-injection XML injection
CWE‑91 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑91 C# cs/xml/xpath-injection XPath injection
CWE‑91 Java java/xml/xpath-injection XPath injection
CWE‑91 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑91 JavaScript js/xpath-injection XPath injection
CWE‑91 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑91 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑91 Default go/xml/xpath-injection XPath injection
CWE‑93 C# cs/web/disabled-header-checking Header checking disabled
CWE‑93 Java java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE‑93 Java java/http-response-splitting HTTP response splitting
CWE‑93 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑93 Python py/header-injection HTTP Header Injection
CWE‑94 C# cs/code-injection Improper control of generation of code
CWE‑94 Java java/groovy-injection Groovy Language injection
CWE‑94 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑94 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑94 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑94 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑94 Java java/server-side-template-injection Server-side template injection
CWE‑94 Java java/beanshell-injection BeanShell injection
CWE‑94 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑94 Java java/jshell-injection JShell injection
CWE‑94 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑94 Java java/jython-injection Injection in Jython
CWE‑94 Java java/unsafe-eval Injection in Java Script Engine
CWE‑94 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑94 Java java/spring-view-manipulation Spring View Manipulation
CWE‑94 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑94 JavaScript js/template-object-injection Template Object Injection
CWE‑94 JavaScript js/code-injection Code injection
CWE‑94 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑94 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑94 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑94 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑94 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑94 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑94 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑94 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑94 Python py/code-injection Code injection
CWE‑94 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑94 Default rb/code-injection Code injection
CWE‑95 C# cs/code-injection Improper control of generation of code
CWE‑95 Java java/jython-injection Injection in Jython
CWE‑95 JavaScript js/code-injection Code injection
CWE‑95 Python py/code-injection Code injection
CWE‑95 Default rb/code-injection Code injection
CWE‑96 C# cs/code-injection Improper control of generation of code
CWE‑99 C# cs/path-injection Uncontrolled data used in path expression
CWE‑99 C# cs/resource-injection Resource injection
CWE‑99 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑99 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑99 Python py/path-injection Uncontrolled data used in path expression
CWE‑99 Default go/path-injection Uncontrolled data used in path expression
CWE‑99 Default rb/path-injection Uncontrolled data used in path expression
CWE‑112 C# cs/xml/missing-validation Missing XML validation
CWE‑113 C# cs/web/disabled-header-checking Header checking disabled
CWE‑113 Java java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE‑113 Java java/http-response-splitting HTTP response splitting
CWE‑113 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑113 Python py/header-injection HTTP Header Injection
CWE‑114 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑114 C# cs/assembly-path-injection Assembly path injection
CWE‑116 C# cs/web/stored-xss Stored cross-site scripting
CWE‑116 C# cs/web/xss Cross-site scripting
CWE‑116 C# cs/log-forging Log entries created from user input
CWE‑116 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑116 Java java/log-injection Log Injection
CWE‑116 JavaScript js/angular/disabling-sce Disabling SCE
CWE‑116 JavaScript js/identity-replacement Replacement of a substring with itself
CWE‑116 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑116 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑116 JavaScript js/stored-xss Stored cross-site scripting
CWE‑116 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑116 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑116 JavaScript js/xss Client-side cross-site scripting
CWE‑116 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑116 JavaScript js/code-injection Code injection
CWE‑116 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑116 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑116 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑116 JavaScript js/double-escaping Double escaping or unescaping
CWE‑116 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑116 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑116 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑116 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑116 JavaScript js/log-injection Log injection
CWE‑116 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑116 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑116 Python py/code-injection Code injection
CWE‑116 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑116 Python py/log-injection Log Injection
CWE‑116 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑116 Default go/reflected-xss Reflected cross-site scripting
CWE‑116 Default go/stored-xss Stored cross-site scripting
CWE‑116 Default go/log-injection Log entries created from user input
CWE‑116 Default rb/reflected-xss Reflected server-side cross-site scripting
CWE‑116 Default rb/stored-xss Stored cross-site scripting
CWE‑116 Default rb/code-injection Code injection
CWE‑116 Default rb/bad-tag-filter Bad HTML filtering regexp
CWE‑116 Default rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑116 Default rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑116 Default rb/log-injection Log injection
CWE‑117 C# cs/log-forging Log entries created from user input
CWE‑117 Java java/log-injection Log Injection
CWE‑117 JavaScript js/log-injection Log injection
CWE‑117 Python py/log-injection Log Injection
CWE‑117 Default go/log-injection Log entries created from user input
CWE‑117 Default rb/log-injection Log injection
CWE‑118 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑118 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑118 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑118 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑118 C++ cpp/overflow-destination Copy function using source size
CWE‑118 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑118 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑118 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑118 C++ cpp/use-after-free Potential use after free
CWE‑118 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑118 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑118 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑118 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑118 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑118 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑118 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑118 C++ cpp/badly-bounded-write Badly bounded write
CWE‑118 C++ cpp/overrunning-write Potentially overrunning write
CWE‑118 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑118 C++ cpp/unbounded-write Unbounded write
CWE‑118 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑118 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑118 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑118 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑118 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑118 C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE‑118 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑118 C++ cpp/double-free Errors When Double Free
CWE‑118 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑118 C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE‑118 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑118 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑118 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑119 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑119 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑119 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑119 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑119 C++ cpp/overflow-destination Copy function using source size
CWE‑119 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑119 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑119 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑119 C++ cpp/use-after-free Potential use after free
CWE‑119 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑119 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑119 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑119 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑119 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑119 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑119 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑119 C++ cpp/badly-bounded-write Badly bounded write
CWE‑119 C++ cpp/overrunning-write Potentially overrunning write
CWE‑119 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑119 C++ cpp/unbounded-write Unbounded write
CWE‑119 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑119 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑119 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑119 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑119 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑119 C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE‑119 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑119 C++ cpp/double-free Errors When Double Free
CWE‑119 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑119 C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE‑119 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑119 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑119 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑120 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑120 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑120 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑120 C++ cpp/badly-bounded-write Badly bounded write
CWE‑120 C++ cpp/overrunning-write Potentially overrunning write
CWE‑120 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑120 C++ cpp/unbounded-write Unbounded write
CWE‑120 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑120 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑120 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑120 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑121 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑121 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑122 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑122 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑122 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑122 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑122 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑125 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑125 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑125 C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE‑125 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑125 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑126 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑126 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑128 C++ cpp/signed-overflow-check Signed overflow check
CWE‑128 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑129 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑129 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑129 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑129 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑129 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑129 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑129 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑131 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑131 C++ cpp/overflow-destination Copy function using source size
CWE‑131 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑131 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑131 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑131 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑134 C++ cpp/non-constant-format Non-constant format string
CWE‑134 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑134 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑134 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑134 Java java/tainted-format-string Use of externally-controlled format string
CWE‑134 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑134 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑134 Default rb/tainted-format-string Use of externally-controlled format string
CWE‑170 C++ cpp/improper-null-termination Potential improper null termination
CWE‑170 C++ cpp/user-controlled-null-termination-tainted User-controlled data may not be null terminated
CWE‑178 JavaScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE‑183 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑183 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑183 Default go/cors-misconfiguration CORS misconfiguration
CWE‑184 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑184 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑185 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑185 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑185 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑185 Default rb/bad-tag-filter Bad HTML filtering regexp
CWE‑186 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑186 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑186 Default rb/bad-tag-filter Bad HTML filtering regexp
CWE‑190 C++ cpp/ambiguously-signed-bit-field Ambiguously signed bit-field member
CWE‑190 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑190 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑190 C++ cpp/signed-overflow-check Signed overflow check
CWE‑190 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑190 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑190 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑190 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑190 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑190 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑190 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑190 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑190 C++ cpp/dangerous-use-of-transformation-after-operation Dangerous use of transformation after operation.
CWE‑190 C++ cpp/signed-bit-field Possible signed bit-field member
CWE‑190 C# cs/loss-of-precision Possible loss of precision
CWE‑190 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑190 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑190 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑190 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑190 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑190 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑190 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑190 Default go/allocation-size-overflow Size computation for allocation may overflow
CWE‑190 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑191 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑191 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑191 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑191 C++ cpp/unsigned-difference-expression-compared-zero Unsigned difference expression compared to zero
CWE‑191 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑191 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑191 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑191 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑193 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑193 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE‑193 Java java/index-out-of-bounds Array index out of bounds
CWE‑193 JavaScript js/index-out-of-bounds Off-by-one comparison against length
CWE‑193 Default go/index-out-of-bounds Off-by-one comparison against length
CWE‑197 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑197 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑197 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑197 C# cs/loss-of-precision Possible loss of precision
CWE‑197 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑197 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑197 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑197 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑197 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑197 JavaScript js/shift-out-of-range Shift out of range
CWE‑197 Default go/shift-out-of-range Shift out of range
CWE‑200 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑200 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑200 C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE‑200 C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE‑200 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑200 C++ cpp/private-cleartext-write Exposure of private information
CWE‑200 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑200 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑200 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑200 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑200 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑200 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑200 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑200 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑200 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑200 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑200 Java java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE‑200 Java java/sensitive-android-file-leak Leaking sensitive Android file
CWE‑200 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑200 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑200 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑200 Java java/server-directory-listing Directories and files exposure
CWE‑200 Java java/sensitive-query-with-get Sensitive GET Query
CWE‑200 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑200 JavaScript js/file-access-to-http File data in outbound network request
CWE‑200 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑200 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑200 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑200 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑200 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑200 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑200 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑200 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE‑200 Python py/stack-trace-exposure Information exposure through an exception
CWE‑200 Python py/flask-debug Flask app is run in debug mode
CWE‑200 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑200 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑200 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑200 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑200 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑200 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑201 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑201 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑203 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑203 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑203 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑208 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑208 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑208 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑209 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑209 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑209 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑209 Python py/stack-trace-exposure Information exposure through an exception
CWE‑209 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑215 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑215 Python py/flask-debug Flask app is run in debug mode
CWE‑216 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑219 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑221 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑221 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑221 Java java/overly-general-catch Overly-general catch clause
CWE‑221 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑221 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑227 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑227 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑227 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑227 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑227 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑227 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑227 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑227 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑227 C++ cpp/twice-locked Mutex locked twice
CWE‑227 C++ cpp/unreleased-lock Lock may not be released
CWE‑227 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑227 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑227 C++ cpp/double-free Errors When Double Free
CWE‑227 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑227 C++ cpp/double-release Errors When Double Release
CWE‑227 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑227 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑227 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑227 Java java/ejb/container-interference EJB interferes with container operation
CWE‑227 Java java/ejb/file-io EJB uses file input/output
CWE‑227 Java java/ejb/graphics EJB uses graphics
CWE‑227 Java java/ejb/native-code EJB uses native code
CWE‑227 Java java/ejb/reflection EJB uses reflection
CWE‑227 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑227 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑227 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑227 Java java/ejb/server-socket EJB uses server socket
CWE‑227 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑227 Java java/ejb/synchronization EJB uses synchronization
CWE‑227 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑227 Java java/ejb/threads EJB uses threads
CWE‑227 Java java/missing-call-to-super-clone Missing super clone
CWE‑227 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑227 Java java/unreleased-lock Unreleased lock
CWE‑227 Java java/missing-super-finalize Finalizer inconsistency
CWE‑227 Java java/missing-format-argument Missing format argument
CWE‑227 Java java/unused-format-argument Unused format argument
CWE‑227 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑227 Java java/empty-finalizer Empty body of finalizer
CWE‑227 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑227 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑227 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑227 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑227 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑227 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑227 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑227 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑227 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑228 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑228 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑233 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑233 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑234 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑234 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑242 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑243 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑247 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑247 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑248 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑248 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑248 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑248 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑248 JavaScript js/server-crash Server crash
CWE‑250 JavaScript js/remote-property-injection Remote property injection
CWE‑252 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑252 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑252 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑252 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑252 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑252 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑252 C# cs/unchecked-return-value Unchecked return value
CWE‑252 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑252 Java java/return-value-ignored Method result ignored
CWE‑252 Python py/ignored-return-value Ignored return value
CWE‑253 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑253 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑253 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑256 C# cs/password-in-configuration Password in configuration file
CWE‑256 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑256 Java java/password-in-configuration Password in configuration file
CWE‑256 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑258 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑258 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑259 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑259 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑259 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑259 Python py/hardcoded-credentials Hard-coded credentials
CWE‑259 Default go/hardcoded-credentials Hard-coded credentials
CWE‑259 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑260 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑260 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑260 C# cs/password-in-configuration Password in configuration file
CWE‑260 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑260 Java java/password-in-configuration Password in configuration file
CWE‑260 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑260 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑266 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑266 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑269 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑269 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑269 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑269 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑269 JavaScript js/remote-property-injection Remote property injection
CWE‑271 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑271 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑273 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑273 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑284 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑284 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑284 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑284 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑284 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑284 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑284 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑284 C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE‑284 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑284 C# cs/password-in-configuration Password in configuration file
CWE‑284 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑284 C# cs/session-reuse Failure to abandon session
CWE‑284 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑284 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑284 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑284 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑284 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑284 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑284 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑284 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑284 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑284 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑284 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑284 Java java/insecure-basic-auth Insecure basic authentication
CWE‑284 Java java/world-writable-file-read Reading from a world writable file
CWE‑284 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑284 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑284 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑284 Java java/hardcoded-password-field Hard-coded password field
CWE‑284 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑284 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑284 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑284 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑284 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑284 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑284 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑284 Java java/android/intent-redirection Android Intent redirection
CWE‑284 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑284 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑284 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑284 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑284 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑284 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑284 Java java/password-in-configuration Password in configuration file
CWE‑284 Java java/incorrect-url-verification Incorrect URL verification
CWE‑284 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑284 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑284 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑284 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑284 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑284 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑284 JavaScript js/session-fixation Failure to abandon session
CWE‑284 JavaScript js/remote-property-injection Remote property injection
CWE‑284 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑284 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑284 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑284 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑284 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑284 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑284 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑284 Python py/overly-permissive-file Overly permissive file permissions
CWE‑284 Python py/hardcoded-credentials Hard-coded credentials
CWE‑284 Python py/improper-ldap-auth Improper LDAP Authentication
CWE‑284 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑284 Default go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑284 Default go/email-injection Email content injection
CWE‑284 Default go/hardcoded-credentials Hard-coded credentials
CWE‑284 Default go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑284 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑284 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑284 Default go/cors-misconfiguration CORS misconfiguration
CWE‑284 Default rb/user-controlled-bypass User-controlled bypass of security check
CWE‑284 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑284 Default rb/weak-cookie-configuration Weak cookie configuration
CWE‑284 Default rb/overly-permissive-file Overly permissive file permissions
CWE‑284 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑285 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑285 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑285 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑285 C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE‑285 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑285 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑285 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑285 Java java/world-writable-file-read Reading from a world writable file
CWE‑285 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑285 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑285 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑285 Java java/android/intent-redirection Android Intent redirection
CWE‑285 Java java/incorrect-url-verification Incorrect URL verification
CWE‑285 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑285 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑285 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑285 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑285 Python py/overly-permissive-file Overly permissive file permissions
CWE‑285 Default go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑285 Default rb/weak-cookie-configuration Weak cookie configuration
CWE‑285 Default rb/overly-permissive-file Overly permissive file permissions
CWE‑287 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑287 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑287 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑287 C# cs/password-in-configuration Password in configuration file
CWE‑287 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑287 C# cs/session-reuse Failure to abandon session
CWE‑287 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑287 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑287 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑287 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑287 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑287 Java java/insecure-basic-auth Insecure basic authentication
CWE‑287 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑287 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑287 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑287 Java java/hardcoded-password-field Hard-coded password field
CWE‑287 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑287 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑287 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑287 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑287 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑287 Java java/password-in-configuration Password in configuration file
CWE‑287 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑287 JavaScript js/session-fixation Failure to abandon session
CWE‑287 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑287 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑287 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑287 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑287 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑287 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑287 Python py/hardcoded-credentials Hard-coded credentials
CWE‑287 Python py/improper-ldap-auth Improper LDAP Authentication
CWE‑287 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑287 Default go/email-injection Email content injection
CWE‑287 Default go/hardcoded-credentials Hard-coded credentials
CWE‑287 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑287 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑287 Default rb/user-controlled-bypass User-controlled bypass of security check
CWE‑287 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑290 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑290 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑290 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑290 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑290 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑290 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑290 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑290 Default rb/user-controlled-bypass User-controlled bypass of security check
CWE‑295 C++ cpp/certificate-result-conflation Certificate result conflation
CWE‑295 C++ cpp/certificate-not-checked Certificate not checked
CWE‑295 Java java/improper-webview-certificate-validation Android WebView that accepts all certificates
CWE‑295 Java java/insecure-trustmanager TrustManager that accepts all certificates
CWE‑295 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑295 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑295 Java java/jxbrowser/disabled-certificate-validation JxBrowser with disabled certificate validation
CWE‑295 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑295 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑295 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑295 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑295 Python py/paramiko-missing-host-key-validation Accepting unknown SSH host keys when using Paramiko
CWE‑295 Python py/request-without-cert-validation Request without certificate validation
CWE‑295 Default go/disabled-certificate-check Disabled TLS certificate check
CWE‑295 Default rb/request-without-cert-validation Request without certificate validation
CWE‑297 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑297 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑297 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑297 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑297 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑299 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑300 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑300 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑300 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑307 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑311 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑311 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑311 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑311 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑311 C++ cpp/non-https-url Failure to use HTTPS URLs
CWE‑311 C# cs/password-in-configuration Password in configuration file
CWE‑311 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑311 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑311 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE‑311 Java java/android/backup-enabled Application backup allowed
CWE‑311 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑311 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑311 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑311 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑311 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑311 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑311 Java java/non-https-url Failure to use HTTPS URLs
CWE‑311 Java java/non-ssl-connection Failure to use SSL
CWE‑311 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑311 Java java/insecure-basic-auth Insecure basic authentication
CWE‑311 Java java/insecure-cookie Failure to use secure cookies
CWE‑311 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑311 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑311 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑311 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑311 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑311 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑311 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑311 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑311 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑311 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑311 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE‑311 Python py/insecure-cookie Failure to use secure cookies
CWE‑311 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑311 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑311 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑311 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑312 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑312 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑312 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑312 C# cs/password-in-configuration Password in configuration file
CWE‑312 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑312 Java java/android/backup-enabled Application backup allowed
CWE‑312 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑312 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑312 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑312 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑312 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑312 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑312 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑312 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑312 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑312 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑312 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑312 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑312 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑312 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑312 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑312 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑313 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑313 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑313 C# cs/password-in-configuration Password in configuration file
CWE‑313 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑313 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑315 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑315 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑315 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑315 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑315 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑315 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑319 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑319 C++ cpp/non-https-url Failure to use HTTPS URLs
CWE‑319 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑319 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE‑319 Java java/non-https-url Failure to use HTTPS URLs
CWE‑319 Java java/non-ssl-connection Failure to use SSL
CWE‑319 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑319 Java java/insecure-basic-auth Insecure basic authentication
CWE‑319 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑319 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑319 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑319 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑319 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑321 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑321 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑321 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑321 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑321 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑321 Python py/hardcoded-credentials Hard-coded credentials
CWE‑321 Default go/hardcoded-credentials Hard-coded credentials
CWE‑321 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑321 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑322 Default go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑326 C++ cpp/boost/tls-settings-misconfiguration Boost_asio TLS Settings Misconfiguration
CWE‑326 C++ cpp/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE‑326 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE‑326 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑326 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑326 Java java/insufficient-key-size Weak encryption: Insufficient key size
CWE‑326 JavaScript js/insufficient-key-size Use of a weak cryptographic key
CWE‑326 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑326 Python py/weak-crypto-key Use of weak cryptographic key
CWE‑326 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑326 Default go/weak-crypto-key Use of a weak cryptographic key
CWE‑326 Default go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑327 C++ cpp/boost/use-of-deprecated-hardcoded-security-protocol boost::asio Use of deprecated hardcoded Protocol
CWE‑327 C++ cpp/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑327 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑327 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE‑327 C# cs/insecure-sql-connection Insecure SQL connection
CWE‑327 C# cs/ecb-encryption Encryption using ECB
CWE‑327 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑327 C# cs/weak-encryption Weak encryption
CWE‑327 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE‑327 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑327 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑327 Java java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE‑327 Java java/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE‑327 Java java/unsafe-tls-version Unsafe TLS version
CWE‑327 Java java/hash-without-salt Use of a hash function without a salt
CWE‑327 JavaScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source.
CWE‑327 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑327 Python py/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 Python py/insecure-default-protocol Default version of SSL/TLS may be insecure
CWE‑327 Python py/insecure-protocol Use of insecure SSL/TLS version
CWE‑327 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑327 Python py/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption.
CWE‑327 Default go/insecure-tls Insecure TLS configuration
CWE‑327 Default go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑327 Default rb/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑328 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑328 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑328 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑328 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑328 Default go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑329 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑330 C# cs/random-used-once Random used only once
CWE‑330 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑330 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑330 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑330 C# cs/insecure-randomness Insecure randomness
CWE‑330 Java java/random-used-once Random used only once
CWE‑330 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑330 Java java/predictable-seed Use of a predictable seed in a secure random number generator
CWE‑330 Java java/jhipster-prng Detect JHipster Generator Vulnerability CVE-2019-16303
CWE‑330 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑330 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑330 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑330 Java java/hardcoded-password-field Hard-coded password field
CWE‑330 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑330 JavaScript js/insecure-randomness Insecure randomness
CWE‑330 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑330 Python py/hardcoded-credentials Hard-coded credentials
CWE‑330 Python py/insecure-randomness Insecure randomness
CWE‑330 Default go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑330 Default go/hardcoded-credentials Hard-coded credentials
CWE‑330 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑330 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑335 C# cs/random-used-once Random used only once
CWE‑335 Java java/random-used-once Random used only once
CWE‑335 Java java/predictable-seed Use of a predictable seed in a secure random number generator
CWE‑337 Java java/predictable-seed Use of a predictable seed in a secure random number generator
CWE‑338 C# cs/insecure-randomness Insecure randomness
CWE‑338 Java java/jhipster-prng Detect JHipster Generator Vulnerability CVE-2019-16303
CWE‑338 JavaScript js/insecure-randomness Insecure randomness
CWE‑338 Python py/insecure-randomness Insecure randomness
CWE‑338 Default go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑344 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑344 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑344 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑344 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑344 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑344 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑344 Java java/hardcoded-password-field Hard-coded password field
CWE‑344 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑344 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑344 Python py/hardcoded-credentials Hard-coded credentials
CWE‑344 Default go/hardcoded-credentials Hard-coded credentials
CWE‑344 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑344 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑345 C++ cpp/non-https-url Failure to use HTTPS URLs
CWE‑345 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑345 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑345 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑345 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑345 Java java/ip-address-spoofing IP address spoofing
CWE‑345 Java java/jsonp-injection JSONP Injection
CWE‑345 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑345 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑345 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑345 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑345 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE‑345 Python py/ip-address-spoofing IP address spoofing
CWE‑345 Default go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑345 Default go/cors-misconfiguration CORS misconfiguration
CWE‑345 Default rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑346 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑346 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑346 Default go/cors-misconfiguration CORS misconfiguration
CWE‑347 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑347 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑347 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE‑348 Java java/ip-address-spoofing IP address spoofing
CWE‑348 Python py/ip-address-spoofing IP address spoofing
CWE‑350 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑350 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑352 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑352 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑352 Java java/jsonp-injection JSONP Injection
CWE‑352 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑352 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑352 Default go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑352 Default rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑359 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑359 C++ cpp/private-cleartext-write Exposure of private information
CWE‑359 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑359 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑359 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑359 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑359 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑359 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑359 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑359 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑359 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑359 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑359 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑362 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑362 C++ cpp/linux-kernel-double-fetch-vulnerability Linux kernel double-fetch vulnerability detection
CWE‑362 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑362 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑362 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE‑362 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE‑362 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑362 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑362 JavaScript js/file-system-race Potential file system race condition
CWE‑366 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑367 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑367 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑367 JavaScript js/file-system-race Potential file system race condition
CWE‑369 Default go/divide-by-zero Divide by zero
CWE‑377 C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE‑377 JavaScript js/insecure-temporary-file Insecure temporary file
CWE‑377 Python py/insecure-temporary-file Insecure temporary file
CWE‑378 JavaScript js/insecure-temporary-file Insecure temporary file
CWE‑382 Java java/ejb/container-interference EJB interferes with container operation
CWE‑382 Java java/jvm-exit Forcible JVM termination
CWE‑383 Java java/ejb/threads EJB uses threads
CWE‑384 C# cs/session-reuse Failure to abandon session
CWE‑384 JavaScript js/session-fixation Failure to abandon session
CWE‑390 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑390 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑390 Python py/empty-except Empty except
CWE‑391 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑391 Java java/discarded-exception Discarded exception
CWE‑391 Java java/ignored-error-status-of-call Ignored error status of call
CWE‑395 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑396 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑396 Java java/overly-general-catch Overly-general catch clause
CWE‑396 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑398 C++ cpp/unused-local-variable Unused local variable
CWE‑398 C++ cpp/unused-static-function Unused static function
CWE‑398 C++ cpp/unused-static-variable Unused static variable
CWE‑398 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑398 C++ cpp/dead-code-function Function is never called
CWE‑398 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑398 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑398 C++ cpp/missing-null-test Returned pointer not checked
CWE‑398 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑398 C++ cpp/fixme-comment FIXME comment
CWE‑398 C++ cpp/todo-comment TODO comment
CWE‑398 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑398 C++ cpp/useless-expression Expression has no effect
CWE‑398 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑398 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑398 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑398 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑398 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑398 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑398 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑398 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑398 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑398 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑398 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑398 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑398 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑398 C# cs/todo-comment TODO comment
CWE‑398 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑398 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑398 C# cs/unused-reftype Dead reference types
CWE‑398 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑398 C# cs/unused-field Unused field
CWE‑398 C# cs/unused-method Unused method
CWE‑398 C# cs/useless-cast-to-self Cast to same type
CWE‑398 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑398 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑398 C# cs/useless-type-test Useless type test
CWE‑398 C# cs/useless-upcast Useless upcast
CWE‑398 C# cs/empty-collection Container contents are never initialized
CWE‑398 C# cs/unused-collection Container contents are never accessed
CWE‑398 C# cs/empty-lock-statement Empty lock statement
CWE‑398 C# cs/linq/useless-select Redundant Select
CWE‑398 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑398 Java java/dead-class Dead class
CWE‑398 Java java/dead-enum-constant Dead enum constant
CWE‑398 Java java/dead-field Dead field
CWE‑398 Java java/dead-function Dead method
CWE‑398 Java java/lines-of-dead-code Lines of dead code in files
CWE‑398 Java java/unused-parameter Useless parameter
CWE‑398 Java java/useless-null-check Useless null check
CWE‑398 Java java/useless-type-test Useless type test
CWE‑398 Java java/useless-upcast Useless upcast
CWE‑398 Java java/empty-container Container contents are never initialized
CWE‑398 Java java/unused-container Container contents are never accessed
CWE‑398 Java java/constant-comparison Useless comparison test
CWE‑398 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑398 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑398 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑398 Java java/empty-synchronized-block Empty synchronized block
CWE‑398 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑398 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑398 Java java/todo-comment TODO/FIXME comments
CWE‑398 Java java/unused-reference-type Unused classes and interfaces
CWE‑398 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑398 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑398 Java java/local-variable-is-never-read Unread local variable
CWE‑398 Java java/unused-field Unused field
CWE‑398 Java java/unused-label Unused label
CWE‑398 Java java/unused-local-variable Unused local variable
CWE‑398 Java java/switch-fall-through Unterminated switch case
CWE‑398 Java java/redundant-cast Unnecessary cast
CWE‑398 Java java/unused-import Unnecessary import
CWE‑398 JavaScript js/todo-comment TODO comment
CWE‑398 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑398 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑398 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑398 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑398 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑398 JavaScript js/overwritten-property Overwritten property
CWE‑398 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑398 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑398 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑398 JavaScript js/duplicate-property Duplicate property
CWE‑398 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑398 JavaScript js/useless-expression Expression has no effect
CWE‑398 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑398 JavaScript js/redundant-operation Identical operands
CWE‑398 JavaScript js/redundant-assignment Self assignment
CWE‑398 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑398 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑398 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑398 JavaScript js/useless-type-test Useless type test
CWE‑398 JavaScript js/eval-call Use of eval
CWE‑398 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑398 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑398 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑398 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑398 JavaScript js/unreachable-statement Unreachable statement
CWE‑398 JavaScript js/trivial-conditional Useless conditional
CWE‑398 Python py/unreachable-except Unreachable 'except' block
CWE‑398 Python py/comparison-of-constants Comparison of constants
CWE‑398 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑398 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑398 Python py/redundant-comparison Redundant comparison
CWE‑398 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑398 Python py/import-deprecated-module Import of deprecated module
CWE‑398 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑398 Python py/redundant-assignment Redundant assignment
CWE‑398 Python py/ineffectual-statement Statement has no effect
CWE‑398 Python py/unreachable-statement Unreachable code
CWE‑398 Python py/multiple-definition Variable defined multiple times
CWE‑398 Python py/unused-local-variable Unused local variable
CWE‑398 Python py/unused-global-variable Unused global variable
CWE‑398 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑398 Default go/useless-assignment-to-field Useless assignment to field
CWE‑398 Default go/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Default go/duplicate-branches Duplicate 'if' branches
CWE‑398 Default go/duplicate-condition Duplicate 'if' condition
CWE‑398 Default go/duplicate-switch-case Duplicate switch case
CWE‑398 Default go/useless-expression Expression has no effect
CWE‑398 Default go/redundant-operation Identical operands
CWE‑398 Default go/redundant-assignment Self assignment
CWE‑398 Default go/unreachable-statement Unreachable statement
CWE‑398 Default go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑398 Default rb/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Default rb/unused-parameter Unused parameter.
CWE‑400 C++ cpp/catch-missing-free Leaky catch
CWE‑400 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑400 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑400 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑400 C++ cpp/file-never-closed Open file is not closed
CWE‑400 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑400 C++ cpp/memory-never-freed Memory is never freed
CWE‑400 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑400 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑400 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑400 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑400 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE‑400 C# cs/regex-injection Regular expression injection
CWE‑400 Java java/input-resource-leak Potential input resource leak
CWE‑400 Java java/database-resource-leak Potential database resource leak
CWE‑400 Java java/output-resource-leak Potential output resource leak
CWE‑400 Java java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 Java java/redos Inefficient regular expression
CWE‑400 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑400 Java java/thread-resource-abuse Uncontrolled thread resource consumption from local input source
CWE‑400 Java java/thread-resource-abuse Uncontrolled thread resource consumption
CWE‑400 Java java/regex-injection Regular expression injection
CWE‑400 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 JavaScript js/redos Inefficient regular expression
CWE‑400 JavaScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE‑400 JavaScript js/remote-property-injection Remote property injection
CWE‑400 JavaScript js/regex-injection Regular expression injection
CWE‑400 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑400 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑400 JavaScript js/xml-bomb XML internal entity expansion
CWE‑400 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑400 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑400 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑400 Python py/file-not-closed File is not always closed
CWE‑400 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 Python py/redos Inefficient regular expression
CWE‑400 Python py/regex-injection Regular expression injection
CWE‑400 Python py/xml-bomb XML internal entity expansion
CWE‑400 Default rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 Default rb/redos Inefficient regular expression
CWE‑400 Default rb/regexp-injection Regular expression injection
CWE‑401 C++ cpp/catch-missing-free Leaky catch
CWE‑401 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑401 C++ cpp/memory-never-freed Memory is never freed
CWE‑401 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑401 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑404 C++ cpp/catch-missing-free Leaky catch
CWE‑404 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑404 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑404 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑404 C++ cpp/file-never-closed Open file is not closed
CWE‑404 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑404 C++ cpp/memory-never-freed Memory is never freed
CWE‑404 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑404 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑404 C++ cpp/resource-not-released-in-destructor Resource not released in destructor
CWE‑404 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑404 C# cs/member-not-disposed Missing Dispose call
CWE‑404 C# cs/missing-dispose-method Missing Dispose method
CWE‑404 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑404 Java java/missing-super-finalize Finalizer inconsistency
CWE‑404 Java java/input-resource-leak Potential input resource leak
CWE‑404 Java java/database-resource-leak Potential database resource leak
CWE‑404 Java java/output-resource-leak Potential output resource leak
CWE‑404 Java java/empty-finalizer Empty body of finalizer
CWE‑404 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑404 Python py/file-not-closed File is not always closed
CWE‑405 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑405 C# cs/insecure-xml-read XML is read insecurely
CWE‑405 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑405 JavaScript js/xml-bomb XML internal entity expansion
CWE‑405 Python py/xml-bomb XML internal entity expansion
CWE‑405 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer DoS vulnerability
CWE‑405 Default rb/user-controlled-file-decompression User-controlled file decompression
CWE‑405 Default rb/xxe XML external entity expansion
CWE‑409 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑409 C# cs/insecure-xml-read XML is read insecurely
CWE‑409 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑409 JavaScript js/xml-bomb XML internal entity expansion
CWE‑409 Python py/xml-bomb XML internal entity expansion
CWE‑409 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer DoS vulnerability
CWE‑409 Default rb/user-controlled-file-decompression User-controlled file decompression
CWE‑409 Default rb/xxe XML external entity expansion
CWE‑413 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑415 C++ cpp/double-free Errors When Double Free
CWE‑415 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑416 C++ cpp/use-after-free Potential use after free
CWE‑420 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑421 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑428 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑434 C# cs/web/file-upload Use of file upload
CWE‑434 JavaScript js/http-to-file-access Network data written to file
CWE‑434 Default rb/http-to-file-access Network data written to file
CWE‑435 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑441 C# cs/request-forgery Server-side request forgery
CWE‑441 Java java/ssrf Server-side request forgery
CWE‑441 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑441 JavaScript js/request-forgery Server-side request forgery
CWE‑441 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑441 Python py/full-ssrf Full server-side request forgery
CWE‑441 Python py/partial-ssrf Partial server-side request forgery
CWE‑441 Default go/request-forgery Uncontrolled data used in network request
CWE‑441 Default go/ssrf Uncontrolled data used in network request
CWE‑441 Default rb/request-forgery Server-side request forgery
CWE‑451 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑451 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑456 C++ cpp/initialization-not-run Initialization code not run
CWE‑457 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑457 C++ cpp/not-initialised Variable not initialized before use
CWE‑457 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑457 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑457 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑457 Java java/unassigned-field Field is never assigned a non-null value
CWE‑459 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑459 C# cs/member-not-disposed Missing Dispose call
CWE‑459 C# cs/missing-dispose-method Missing Dispose method
CWE‑459 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑459 Java java/missing-super-finalize Finalizer inconsistency
CWE‑459 Java java/empty-finalizer Empty body of finalizer
CWE‑460 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑460 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑467 C++ cpp/suspicious-sizeof Suspicious 'sizeof' use
CWE‑468 C++ cpp/suspicious-pointer-scaling Suspicious pointer scaling
CWE‑468 C++ cpp/incorrect-pointer-scaling-char Suspicious pointer scaling to char
CWE‑468 C++ cpp/suspicious-pointer-scaling-void Suspicious pointer scaling to void
CWE‑468 C++ cpp/suspicious-add-sizeof Suspicious add with sizeof
CWE‑470 Java java/android/fragment-injection Android fragment injection
CWE‑470 Java java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE‑470 Java java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE‑471 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑471 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑471 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑471 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑472 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑476 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑476 C++ cpp/missing-null-test Returned pointer not checked
CWE‑476 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑476 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑476 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑476 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑476 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑476 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑476 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑476 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑476 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑476 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑476 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑477 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑477 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑477 Python py/import-deprecated-module Import of deprecated module
CWE‑478 C++ cpp/missing-case-in-switch Missing enum case in switch
CWE‑478 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑478 Java java/missing-default-in-switch Missing default case in switch
CWE‑478 Java java/missing-case-in-switch Missing enum case in switch
CWE‑480 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑480 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑480 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑480 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑480 C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE‑480 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑480 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑480 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑480 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑480 JavaScript js/useless-expression Expression has no effect
CWE‑480 JavaScript js/redundant-operation Identical operands
CWE‑480 JavaScript js/redundant-assignment Self assignment
CWE‑480 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑480 Default go/useless-expression Expression has no effect
CWE‑480 Default go/redundant-operation Identical operands
CWE‑480 Default go/redundant-assignment Self assignment
CWE‑481 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑481 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑482 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑483 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑483 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑484 Java java/switch-fall-through Unterminated switch case
CWE‑485 C# cs/class-name-comparison Erroneous class compare
CWE‑485 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE‑485 C# cs/expose-implementation Exposing internal representation
CWE‑485 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑485 Java java/missing-call-to-super-clone Missing super clone
CWE‑485 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑485 Java java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE‑485 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑485 Java java/abstract-to-concrete-cast Cast from abstract to concrete collection
CWE‑485 Java java/internal-representation-exposure Exposing internal representation
CWE‑485 Java java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE‑485 Java java/main-method-in-web-components Main Method in Java EE Web Components
CWE‑485 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑485 JavaScript js/alert-call Invocation of alert
CWE‑485 JavaScript js/debugger-statement Use of debugger statement
CWE‑485 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑485 Python py/flask-debug Flask app is run in debug mode
CWE‑486 C# cs/class-name-comparison Erroneous class compare
CWE‑489 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑489 Java java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE‑489 Java java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE‑489 Java java/main-method-in-web-components Main Method in Java EE Web Components
CWE‑489 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑489 JavaScript js/alert-call Invocation of alert
CWE‑489 JavaScript js/debugger-statement Use of debugger statement
CWE‑489 Python py/flask-debug Flask app is run in debug mode
CWE‑494 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑494 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑494 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑494 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑497 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑497 C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE‑497 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑497 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑497 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑497 Python py/stack-trace-exposure Information exposure through an exception
CWE‑497 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑499 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑502 C# cs/deserialized-delegate Deserialized delegate
CWE‑502 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑502 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑502 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑502 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑502 Java java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE‑502 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑502 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑502 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑502 Python py/unsafe-deserialization Deserializing untrusted input
CWE‑502 Default rb/unsafe-deserialization Deserialization of user-controlled data
CWE‑506 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑506 Default rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑521 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑521 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑522 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑522 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑522 C# cs/password-in-configuration Password in configuration file
CWE‑522 Java java/insecure-basic-auth Insecure basic authentication
CWE‑522 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑522 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑522 Java java/password-in-configuration Password in configuration file
CWE‑522 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑522 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑522 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑523 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑532 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑532 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑532 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑532 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑532 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑532 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑538 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑538 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑538 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑538 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑538 Java java/server-directory-listing Directories and files exposure
CWE‑538 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑538 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑538 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑538 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑538 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑539 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑543 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑546 C++ cpp/fixme-comment FIXME comment
CWE‑546 C++ cpp/todo-comment TODO comment
CWE‑546 C# cs/todo-comment TODO comment
CWE‑546 Java java/todo-comment TODO/FIXME comments
CWE‑546 JavaScript js/todo-comment TODO comment
CWE‑548 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑548 Java java/server-directory-listing Directories and files exposure
CWE‑548 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑552 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑552 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑552 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑552 Java java/server-directory-listing Directories and files exposure
CWE‑552 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑552 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑552 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑552 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑552 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑555 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑555 Java java/password-in-configuration Password in configuration file
CWE‑560 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑561 C++ cpp/unused-static-function Unused static function
CWE‑561 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑561 C++ cpp/dead-code-function Function is never called
CWE‑561 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑561 C++ cpp/useless-expression Expression has no effect
CWE‑561 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑561 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑561 C# cs/unused-reftype Dead reference types
CWE‑561 C# cs/unused-field Unused field
CWE‑561 C# cs/unused-method Unused method
CWE‑561 C# cs/useless-cast-to-self Cast to same type
CWE‑561 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑561 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑561 C# cs/useless-type-test Useless type test
CWE‑561 C# cs/useless-upcast Useless upcast
CWE‑561 C# cs/empty-collection Container contents are never initialized
CWE‑561 C# cs/unused-collection Container contents are never accessed
CWE‑561 C# cs/linq/useless-select Redundant Select
CWE‑561 Java java/dead-class Dead class
CWE‑561 Java java/dead-enum-constant Dead enum constant
CWE‑561 Java java/dead-field Dead field
CWE‑561 Java java/dead-function Dead method
CWE‑561 Java java/lines-of-dead-code Lines of dead code in files
CWE‑561 Java java/unused-parameter Useless parameter
CWE‑561 Java java/useless-null-check Useless null check
CWE‑561 Java java/useless-type-test Useless type test
CWE‑561 Java java/useless-upcast Useless upcast
CWE‑561 Java java/empty-container Container contents are never initialized
CWE‑561 Java java/unused-container Container contents are never accessed
CWE‑561 Java java/constant-comparison Useless comparison test
CWE‑561 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑561 Java java/unused-reference-type Unused classes and interfaces
CWE‑561 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑561 Java java/local-variable-is-never-read Unread local variable
CWE‑561 Java java/unused-field Unused field
CWE‑561 Java java/unused-label Unused label
CWE‑561 Java java/redundant-cast Unnecessary cast
CWE‑561 Java java/unused-import Unnecessary import
CWE‑561 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑561 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑561 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑561 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑561 JavaScript js/useless-expression Expression has no effect
CWE‑561 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑561 JavaScript js/redundant-operation Identical operands
CWE‑561 JavaScript js/redundant-assignment Self assignment
CWE‑561 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑561 JavaScript js/useless-type-test Useless type test
CWE‑561 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑561 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑561 JavaScript js/unreachable-statement Unreachable statement
CWE‑561 JavaScript js/trivial-conditional Useless conditional
CWE‑561 Python py/unreachable-except Unreachable 'except' block
CWE‑561 Python py/comparison-of-constants Comparison of constants
CWE‑561 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑561 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑561 Python py/redundant-comparison Redundant comparison
CWE‑561 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑561 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑561 Python py/ineffectual-statement Statement has no effect
CWE‑561 Python py/unreachable-statement Unreachable code
CWE‑561 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑561 Default go/duplicate-branches Duplicate 'if' branches
CWE‑561 Default go/duplicate-condition Duplicate 'if' condition
CWE‑561 Default go/duplicate-switch-case Duplicate switch case
CWE‑561 Default go/useless-expression Expression has no effect
CWE‑561 Default go/redundant-operation Identical operands
CWE‑561 Default go/redundant-assignment Self assignment
CWE‑561 Default go/unreachable-statement Unreachable statement
CWE‑561 Default go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑563 C++ cpp/unused-local-variable Unused local variable
CWE‑563 C++ cpp/unused-static-variable Unused static variable
CWE‑563 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑563 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑563 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑563 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑563 Java java/unused-local-variable Unused local variable
CWE‑563 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑563 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑563 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑563 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑563 JavaScript js/overwritten-property Overwritten property
CWE‑563 JavaScript js/duplicate-property Duplicate property
CWE‑563 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑563 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑563 Python py/redundant-assignment Redundant assignment
CWE‑563 Python py/multiple-definition Variable defined multiple times
CWE‑563 Python py/unused-local-variable Unused local variable
CWE‑563 Python py/unused-global-variable Unused global variable
CWE‑563 Default go/useless-assignment-to-field Useless assignment to field
CWE‑563 Default go/useless-assignment-to-local Useless assignment to local variable
CWE‑563 Default rb/useless-assignment-to-local Useless assignment to local variable
CWE‑563 Default rb/unused-parameter Unused parameter.
CWE‑564 Java java/sql-injection Query built from user-controlled sources
CWE‑564 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑564 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑567 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑568 Java java/missing-super-finalize Finalizer inconsistency
CWE‑568 Java java/empty-finalizer Empty body of finalizer
CWE‑570 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑570 Java java/constant-comparison Useless comparison test
CWE‑570 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑570 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑570 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑570 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑570 JavaScript js/useless-type-test Useless type test
CWE‑570 JavaScript js/trivial-conditional Useless conditional
CWE‑570 Python py/comparison-of-constants Comparison of constants
CWE‑570 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑570 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑570 Python py/redundant-comparison Redundant comparison
CWE‑570 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑570 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑571 Java java/constant-comparison Useless comparison test
CWE‑571 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑571 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑571 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑571 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑571 JavaScript js/useless-type-test Useless type test
CWE‑571 JavaScript js/trivial-conditional Useless conditional
CWE‑571 Python py/comparison-of-constants Comparison of constants
CWE‑571 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑571 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑571 Python py/redundant-comparison Redundant comparison
CWE‑571 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑571 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑572 Java java/call-to-thread-run Direct call to a run() method
CWE‑573 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑573 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑573 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑573 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑573 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑573 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑573 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑573 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑573 C++ cpp/twice-locked Mutex locked twice
CWE‑573 C++ cpp/unreleased-lock Lock may not be released
CWE‑573 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑573 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑573 C++ cpp/double-free Errors When Double Free
CWE‑573 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑573 C++ cpp/double-release Errors When Double Release
CWE‑573 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑573 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑573 Java java/ejb/container-interference EJB interferes with container operation
CWE‑573 Java java/ejb/file-io EJB uses file input/output
CWE‑573 Java java/ejb/graphics EJB uses graphics
CWE‑573 Java java/ejb/native-code EJB uses native code
CWE‑573 Java java/ejb/reflection EJB uses reflection
CWE‑573 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑573 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑573 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑573 Java java/ejb/server-socket EJB uses server socket
CWE‑573 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑573 Java java/ejb/synchronization EJB uses synchronization
CWE‑573 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑573 Java java/ejb/threads EJB uses threads
CWE‑573 Java java/missing-call-to-super-clone Missing super clone
CWE‑573 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑573 Java java/unreleased-lock Unreleased lock
CWE‑573 Java java/missing-super-finalize Finalizer inconsistency
CWE‑573 Java java/missing-format-argument Missing format argument
CWE‑573 Java java/unused-format-argument Unused format argument
CWE‑573 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑573 Java java/empty-finalizer Empty body of finalizer
CWE‑573 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑573 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑573 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑573 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑573 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑573 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑573 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑573 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑574 Java java/ejb/synchronization EJB uses synchronization
CWE‑575 Java java/ejb/graphics EJB uses graphics
CWE‑576 Java java/ejb/file-io EJB uses file input/output
CWE‑577 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑577 Java java/ejb/server-socket EJB uses server socket
CWE‑578 Java java/ejb/container-interference EJB interferes with container operation
CWE‑580 Java java/missing-call-to-super-clone Missing super clone
CWE‑581 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑581 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑581 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑582 C# cs/static-array Array constant vulnerable to change
CWE‑582 Java java/static-array Array constant vulnerable to change
CWE‑584 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑584 JavaScript js/exit-from-finally Jump from finally
CWE‑584 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑585 C# cs/empty-lock-statement Empty lock statement
CWE‑585 Java java/empty-synchronized-block Empty synchronized block
CWE‑592 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑592 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑592 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑592 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑592 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑592 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑592 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑592 Default rb/user-controlled-bypass User-controlled bypass of security check
CWE‑595 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE‑595 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE‑595 Java java/reference-equality-with-object Reference equality test on java.lang.Object
CWE‑595 Java java/reference-equality-of-boxed-types Reference equality test of boxed types
CWE‑595 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑597 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑598 Java java/sensitive-query-with-get Sensitive GET Query
CWE‑598 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑600 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑601 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑601 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑601 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑601 Java java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE‑601 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑601 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑601 Python py/url-redirection URL redirection from remote source
CWE‑601 Default go/bad-redirect-check Bad redirect check
CWE‑601 Default go/unvalidated-url-redirection Open URL redirect
CWE‑601 Default rb/url-redirection URL redirection from remote source
CWE‑609 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑609 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑609 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑609 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑610 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑610 C++ cpp/external-entity-expansion XML external entity expansion
CWE‑610 C# cs/path-injection Uncontrolled data used in path expression
CWE‑610 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑610 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑610 C# cs/insecure-xml-read XML is read insecurely
CWE‑610 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑610 C# cs/request-forgery Server-side request forgery
CWE‑610 Java java/path-injection Uncontrolled data used in path expression
CWE‑610 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑610 Java java/android/fragment-injection Android fragment injection
CWE‑610 Java java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE‑610 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑610 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑610 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑610 Java java/ssrf Server-side request forgery
CWE‑610 Java java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE‑610 Java java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE‑610 Java java/xxe-with-experimental-sinks Resolving XML external entity in user-controlled data (experimental sinks)
CWE‑610 Java java/xxe-local-experimental-sinks Resolving XML external entity from a local source (experimental sinks)
CWE‑610 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑610 JavaScript js/template-object-injection Template Object Injection
CWE‑610 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑610 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑610 JavaScript js/xxe XML external entity expansion
CWE‑610 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑610 JavaScript js/request-forgery Server-side request forgery
CWE‑610 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑610 Python py/path-injection Uncontrolled data used in path expression
CWE‑610 Python py/url-redirection URL redirection from remote source
CWE‑610 Python py/xxe XML external entity expansion
CWE‑610 Python py/full-ssrf Full server-side request forgery
CWE‑610 Python py/partial-ssrf Partial server-side request forgery
CWE‑610 Default go/path-injection Uncontrolled data used in path expression
CWE‑610 Default go/bad-redirect-check Bad redirect check
CWE‑610 Default go/unvalidated-url-redirection Open URL redirect
CWE‑610 Default go/request-forgery Uncontrolled data used in network request
CWE‑610 Default go/ssrf Uncontrolled data used in network request
CWE‑610 Default rb/path-injection Uncontrolled data used in path expression
CWE‑610 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑610 Default rb/url-redirection URL redirection from remote source
CWE‑610 Default rb/xxe XML external entity expansion
CWE‑610 Default rb/request-forgery Server-side request forgery
CWE‑611 C++ cpp/external-entity-expansion XML external entity expansion
CWE‑611 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑611 C# cs/insecure-xml-read XML is read insecurely
CWE‑611 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑611 Java java/xxe-with-experimental-sinks Resolving XML external entity in user-controlled data (experimental sinks)
CWE‑611 Java java/xxe-local-experimental-sinks Resolving XML external entity from a local source (experimental sinks)
CWE‑611 JavaScript js/xxe XML external entity expansion
CWE‑611 Python py/xxe XML external entity expansion
CWE‑611 Default rb/xxe XML external entity expansion
CWE‑614 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑614 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE‑614 Java java/insecure-cookie Failure to use secure cookies
CWE‑614 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑614 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE‑614 Python py/insecure-cookie Failure to use secure cookies
CWE‑625 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑628 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑628 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑628 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑628 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑628 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑628 Java java/missing-format-argument Missing format argument
CWE‑628 Java java/unused-format-argument Unused format argument
CWE‑628 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑628 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑628 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑628 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑628 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑628 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑628 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑639 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑640 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑640 Default go/email-injection Email content injection
CWE‑642 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑642 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑642 C# cs/path-injection Uncontrolled data used in path expression
CWE‑642 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑642 Java java/path-injection Uncontrolled data used in path expression
CWE‑642 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑642 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑642 JavaScript js/template-object-injection Template Object Injection
CWE‑642 Python py/path-injection Uncontrolled data used in path expression
CWE‑642 Default go/path-injection Uncontrolled data used in path expression
CWE‑642 Default rb/path-injection Uncontrolled data used in path expression
CWE‑642 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑643 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑643 C# cs/xml/xpath-injection XPath injection
CWE‑643 Java java/xml/xpath-injection XPath injection
CWE‑643 JavaScript js/xpath-injection XPath injection
CWE‑643 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑643 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑643 Default go/xml/xpath-injection XPath injection
CWE‑652 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑657 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑657 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑657 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑657 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑657 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑657 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑657 Java java/hardcoded-password-field Hard-coded password field
CWE‑657 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑657 JavaScript js/remote-property-injection Remote property injection
CWE‑657 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑657 Python py/hardcoded-credentials Hard-coded credentials
CWE‑657 Default go/hardcoded-credentials Hard-coded credentials
CWE‑657 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑657 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑662 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑662 C++ cpp/twice-locked Mutex locked twice
CWE‑662 C++ cpp/unreleased-lock Lock may not be released
CWE‑662 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑662 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑662 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑662 C# cs/locked-wait A lock is held during a wait
CWE‑662 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑662 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑662 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑662 Java java/ejb/synchronization EJB uses synchronization
CWE‑662 Java java/wait-on-condition-interface Wait on condition
CWE‑662 Java java/call-to-thread-run Direct call to a run() method
CWE‑662 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑662 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑662 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑662 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑662 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑662 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑662 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑662 Java java/sleep-with-lock-held Sleep with lock held
CWE‑662 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑662 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑662 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑662 Java java/unreleased-lock Unreleased lock
CWE‑662 Java java/wait-with-two-locks Wait with two locks held
CWE‑662 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑664 C++ cpp/catch-missing-free Leaky catch
CWE‑664 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑664 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑664 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑664 C++ cpp/file-never-closed Open file is not closed
CWE‑664 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑664 C++ cpp/initialization-not-run Initialization code not run
CWE‑664 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑664 C++ cpp/memory-never-freed Memory is never freed
CWE‑664 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑664 C++ cpp/not-initialised Variable not initialized before use
CWE‑664 C++ cpp/use-after-free Potential use after free
CWE‑664 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑664 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑664 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑664 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑664 C++ cpp/improper-null-termination Potential improper null termination
CWE‑664 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑664 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑664 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑664 C++ cpp/self-assignment-check Self assignment check
CWE‑664 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑664 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑664 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑664 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑664 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑664 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑664 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑664 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑664 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑664 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑664 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑664 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑664 C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE‑664 C++ cpp/external-entity-expansion XML external entity expansion
CWE‑664 C++ cpp/incorrect-string-type-conversion Cast from char to wchar_t
CWE‑664 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑664 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑664 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑664 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑664 C++ cpp/twice-locked Mutex locked twice
CWE‑664 C++ cpp/unreleased-lock Lock may not be released
CWE‑664 C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE‑664 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑664 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑664 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑664 C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE‑664 C++ cpp/private-cleartext-write Exposure of private information
CWE‑664 C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE‑664 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑664 C++ cpp/double-free Errors When Double Free
CWE‑664 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑664 C++ cpp/double-release Errors When Double Release
CWE‑664 C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE‑664 C++ cpp/resource-not-released-in-destructor Resource not released in destructor
CWE‑664 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑664 C# cs/member-not-disposed Missing Dispose call
CWE‑664 C# cs/missing-dispose-method Missing Dispose method
CWE‑664 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑664 C# cs/class-name-comparison Erroneous class compare
CWE‑664 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE‑664 C# cs/expose-implementation Exposing internal representation
CWE‑664 C# cs/static-array Array constant vulnerable to change
CWE‑664 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑664 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑664 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑664 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑664 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑664 C# cs/locked-wait A lock is held during a wait
CWE‑664 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑664 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑664 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑664 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑664 C# cs/password-in-configuration Password in configuration file
CWE‑664 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑664 C# cs/web/file-upload Use of file upload
CWE‑664 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑664 C# cs/loss-of-precision Possible loss of precision
CWE‑664 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑664 C# cs/path-injection Uncontrolled data used in path expression
CWE‑664 C# cs/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑664 C# cs/code-injection Improper control of generation of code
CWE‑664 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑664 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑664 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑664 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑664 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑664 C# cs/session-reuse Failure to abandon session
CWE‑664 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑664 C# cs/deserialized-delegate Deserialized delegate
CWE‑664 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑664 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑664 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑664 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑664 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑664 C# cs/insecure-xml-read XML is read insecurely
CWE‑664 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE‑664 C# cs/regex-injection Regular expression injection
CWE‑664 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑664 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑664 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑664 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑664 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑664 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑664 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑664 C# cs/request-forgery Server-side request forgery
CWE‑664 Java java/ejb/synchronization EJB uses synchronization
CWE‑664 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑664 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑664 Java java/missing-call-to-super-clone Missing super clone
CWE‑664 Java java/wait-on-condition-interface Wait on condition
CWE‑664 Java java/call-to-thread-run Direct call to a run() method
CWE‑664 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑664 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑664 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑664 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑664 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑664 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑664 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑664 Java java/sleep-with-lock-held Sleep with lock held
CWE‑664 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑664 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑664 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑664 Java java/unreleased-lock Unreleased lock
CWE‑664 Java java/wait-with-two-locks Wait with two locks held
CWE‑664 Java java/missing-super-finalize Finalizer inconsistency
CWE‑664 Java java/input-resource-leak Potential input resource leak
CWE‑664 Java java/database-resource-leak Potential database resource leak
CWE‑664 Java java/output-resource-leak Potential output resource leak
CWE‑664 Java java/impossible-array-cast Impossible array cast
CWE‑664 Java java/path-injection Uncontrolled data used in path expression
CWE‑664 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑664 Java java/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑664 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑664 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑664 Java java/groovy-injection Groovy Language injection
CWE‑664 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑664 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑664 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑664 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑664 Java java/server-side-template-injection Server-side template injection
CWE‑664 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑664 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑664 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑664 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑664 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑664 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑664 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑664 Java java/android/backup-enabled Application backup allowed
CWE‑664 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑664 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑664 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑664 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑664 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑664 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑664 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑664 Java java/android/fragment-injection Android fragment injection
CWE‑664 Java java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE‑664 Java java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE‑664 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 Java java/insecure-basic-auth Insecure basic authentication
CWE‑664 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑664 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑664 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑664 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑664 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑664 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑664 Java java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 Java java/redos Inefficient regular expression
CWE‑664 Java java/world-writable-file-read Reading from a world writable file
CWE‑664 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑664 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑664 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑664 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑664 Java java/hardcoded-password-field Hard-coded password field
CWE‑664 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑664 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑664 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑664 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑664 Java java/ssrf Server-side request forgery
CWE‑664 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑664 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑664 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑664 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑664 Java java/android/intent-redirection Android Intent redirection
CWE‑664 Java java/empty-finalizer Empty body of finalizer
CWE‑664 Java java/unassigned-field Field is never assigned a non-null value
CWE‑664 Java java/overly-general-catch Overly-general catch clause
CWE‑664 Java java/abstract-to-concrete-cast Cast from abstract to concrete collection
CWE‑664 Java java/internal-representation-exposure Exposing internal representation
CWE‑664 Java java/static-array Array constant vulnerable to change
CWE‑664 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑664 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑664 Java java/beanshell-injection BeanShell injection
CWE‑664 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑664 Java java/jshell-injection JShell injection
CWE‑664 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑664 Java java/jython-injection Injection in Jython
CWE‑664 Java java/unsafe-eval Injection in Java Script Engine
CWE‑664 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑664 Java java/spring-view-manipulation Spring View Manipulation
CWE‑664 Java java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE‑664 Java java/sensitive-android-file-leak Leaking sensitive Android file
CWE‑664 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑664 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑664 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑664 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑664 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑664 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑664 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑664 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑664 Java java/thread-resource-abuse Uncontrolled thread resource consumption from local input source
CWE‑664 Java java/thread-resource-abuse Uncontrolled thread resource consumption
CWE‑664 Java java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE‑664 Java java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE‑664 Java java/main-method-in-web-components Main Method in Java EE Web Components
CWE‑664 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑664 Java java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE‑664 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑664 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑664 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑664 Java java/server-directory-listing Directories and files exposure
CWE‑664 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑664 Java java/password-in-configuration Password in configuration file
CWE‑664 Java java/sensitive-query-with-get Sensitive GET Query
CWE‑664 Java java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE‑664 Java java/xxe-with-experimental-sinks Resolving XML external entity in user-controlled data (experimental sinks)
CWE‑664 Java java/xxe-local-experimental-sinks Resolving XML external entity from a local source (experimental sinks)
CWE‑664 Java java/insecure-rmi-jmx-server-initialization InsecureRmiJmxAuthenticationEnvironment
CWE‑664 Java java/regex-injection Regular expression injection
CWE‑664 Java java/incorrect-url-verification Incorrect URL verification
CWE‑664 JavaScript js/alert-call Invocation of alert
CWE‑664 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑664 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑664 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑664 JavaScript js/implicit-operand-conversion Implicit operand conversion
CWE‑664 JavaScript js/shift-out-of-range Shift out of range
CWE‑664 JavaScript js/debugger-statement Use of debugger statement
CWE‑664 JavaScript js/invalid-prototype-value Invalid prototype value
CWE‑664 JavaScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE‑664 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 JavaScript js/redos Inefficient regular expression
CWE‑664 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑664 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑664 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑664 JavaScript js/template-object-injection Template Object Injection
CWE‑664 JavaScript js/code-injection Code injection
CWE‑664 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑664 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑664 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑664 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑664 JavaScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE‑664 JavaScript js/file-access-to-http File data in outbound network request
CWE‑664 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑664 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑664 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑664 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑664 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑664 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑664 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑664 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑664 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑664 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑664 JavaScript js/insecure-temporary-file Insecure temporary file
CWE‑664 JavaScript js/session-fixation Failure to abandon session
CWE‑664 JavaScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE‑664 JavaScript js/remote-property-injection Remote property injection
CWE‑664 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑664 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑664 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑664 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑664 JavaScript js/xxe XML external entity expansion
CWE‑664 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑664 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑664 JavaScript js/regex-injection Regular expression injection
CWE‑664 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑664 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑664 JavaScript js/xml-bomb XML internal entity expansion
CWE‑664 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑664 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑664 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑664 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑664 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑664 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑664 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑664 JavaScript js/http-to-file-access Network data written to file
CWE‑664 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑664 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑664 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑664 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑664 JavaScript js/request-forgery Server-side request forgery
CWE‑664 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑664 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑664 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑664 Python py/implicit-string-concatenation-in-list Implicit string concatenation in a list
CWE‑664 Python py/file-not-closed File is not always closed
CWE‑664 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE‑664 Python py/path-injection Uncontrolled data used in path expression
CWE‑664 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑664 Python py/code-injection Code injection
CWE‑664 Python py/stack-trace-exposure Information exposure through an exception
CWE‑664 Python py/flask-debug Flask app is run in debug mode
CWE‑664 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑664 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑664 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑664 Python py/insecure-temporary-file Insecure temporary file
CWE‑664 Python py/unsafe-deserialization Deserializing untrusted input
CWE‑664 Python py/url-redirection URL redirection from remote source
CWE‑664 Python py/xxe XML external entity expansion
CWE‑664 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 Python py/redos Inefficient regular expression
CWE‑664 Python py/regex-injection Regular expression injection
CWE‑664 Python py/overly-permissive-file Overly permissive file permissions
CWE‑664 Python py/xml-bomb XML internal entity expansion
CWE‑664 Python py/hardcoded-credentials Hard-coded credentials
CWE‑664 Python py/full-ssrf Full server-side request forgery
CWE‑664 Python py/partial-ssrf Partial server-side request forgery
CWE‑664 Python py/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑664 Python py/improper-ldap-auth Improper LDAP Authentication
CWE‑664 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑664 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer DoS vulnerability
CWE‑664 Default go/shift-out-of-range Shift out of range
CWE‑664 Default go/path-injection Uncontrolled data used in path expression
CWE‑664 Default go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑664 Default go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑664 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑664 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑664 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑664 Default go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑664 Default go/bad-redirect-check Bad redirect check
CWE‑664 Default go/unvalidated-url-redirection Open URL redirect
CWE‑664 Default go/email-injection Email content injection
CWE‑664 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑664 Default go/hardcoded-credentials Hard-coded credentials
CWE‑664 Default go/request-forgery Uncontrolled data used in network request
CWE‑664 Default go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑664 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑664 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑664 Default go/ssrf Uncontrolled data used in network request
CWE‑664 Default go/cors-misconfiguration CORS misconfiguration
CWE‑664 Default rb/user-controlled-bypass User-controlled bypass of security check
CWE‑664 Default rb/user-controlled-file-decompression User-controlled file decompression
CWE‑664 Default rb/path-injection Uncontrolled data used in path expression
CWE‑664 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑664 Default rb/code-injection Code injection
CWE‑664 Default rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 Default rb/redos Inefficient regular expression
CWE‑664 Default rb/regexp-injection Regular expression injection
CWE‑664 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑664 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑664 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑664 Default rb/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 Default rb/url-redirection URL redirection from remote source
CWE‑664 Default rb/xxe XML external entity expansion
CWE‑664 Default rb/weak-cookie-configuration Weak cookie configuration
CWE‑664 Default rb/overly-permissive-file Overly permissive file permissions
CWE‑664 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑664 Default rb/insecure-download Download of sensitive file through insecure connection
CWE‑664 Default rb/http-to-file-access Network data written to file
CWE‑664 Default rb/request-forgery Server-side request forgery
CWE‑665 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑665 C++ cpp/initialization-not-run Initialization code not run
CWE‑665 C++ cpp/not-initialised Variable not initialized before use
CWE‑665 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑665 C++ cpp/improper-null-termination Potential improper null termination
CWE‑665 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑665 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑665 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑665 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑665 Java java/unassigned-field Field is never assigned a non-null value
CWE‑665 Java java/insecure-rmi-jmx-server-initialization InsecureRmiJmxAuthenticationEnvironment
CWE‑665 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑665 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑665 Python py/implicit-string-concatenation-in-list Implicit string concatenation in a list
CWE‑666 C++ cpp/use-after-free Potential use after free
CWE‑666 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑666 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑666 C++ cpp/self-assignment-check Self assignment check
CWE‑666 C++ cpp/double-free Errors When Double Free
CWE‑666 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑666 C++ cpp/double-release Errors When Double Release
CWE‑667 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑667 C++ cpp/twice-locked Mutex locked twice
CWE‑667 C++ cpp/unreleased-lock Lock may not be released
CWE‑667 C# cs/locked-wait A lock is held during a wait
CWE‑667 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑667 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑667 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑667 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑667 Java java/sleep-with-lock-held Sleep with lock held
CWE‑667 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑667 Java java/unreleased-lock Unreleased lock
CWE‑667 Java java/wait-with-two-locks Wait with two locks held
CWE‑667 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑668 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑668 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑668 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑668 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑668 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑668 C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE‑668 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑668 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑668 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑668 C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE‑668 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑668 C++ cpp/private-cleartext-write Exposure of private information
CWE‑668 C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE‑668 C# cs/static-array Array constant vulnerable to change
CWE‑668 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑668 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑668 C# cs/password-in-configuration Password in configuration file
CWE‑668 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑668 C# cs/path-injection Uncontrolled data used in path expression
CWE‑668 C# cs/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑668 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑668 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑668 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑668 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑668 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑668 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑668 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑668 Java java/path-injection Uncontrolled data used in path expression
CWE‑668 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑668 Java java/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑668 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑668 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑668 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑668 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑668 Java java/insecure-basic-auth Insecure basic authentication
CWE‑668 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑668 Java java/world-writable-file-read Reading from a world writable file
CWE‑668 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑668 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑668 Java java/static-array Array constant vulnerable to change
CWE‑668 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑668 Java java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE‑668 Java java/sensitive-android-file-leak Leaking sensitive Android file
CWE‑668 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑668 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑668 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑668 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑668 Java java/server-directory-listing Directories and files exposure
CWE‑668 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑668 Java java/password-in-configuration Password in configuration file
CWE‑668 Java java/sensitive-query-with-get Sensitive GET Query
CWE‑668 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑668 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑668 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑668 JavaScript js/template-object-injection Template Object Injection
CWE‑668 JavaScript js/file-access-to-http File data in outbound network request
CWE‑668 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑668 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑668 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑668 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑668 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑668 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑668 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑668 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑668 JavaScript js/insecure-temporary-file Insecure temporary file
CWE‑668 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑668 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑668 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE‑668 Python py/path-injection Uncontrolled data used in path expression
CWE‑668 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑668 Python py/stack-trace-exposure Information exposure through an exception
CWE‑668 Python py/flask-debug Flask app is run in debug mode
CWE‑668 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑668 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑668 Python py/insecure-temporary-file Insecure temporary file
CWE‑668 Python py/overly-permissive-file Overly permissive file permissions
CWE‑668 Python py/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑668 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑668 Default go/path-injection Uncontrolled data used in path expression
CWE‑668 Default go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑668 Default go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑668 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑668 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑668 Default go/cors-misconfiguration CORS misconfiguration
CWE‑668 Default rb/path-injection Uncontrolled data used in path expression
CWE‑668 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑668 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑668 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑668 Default rb/weak-cookie-configuration Weak cookie configuration
CWE‑668 Default rb/overly-permissive-file Overly permissive file permissions
CWE‑669 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑669 C# cs/web/file-upload Use of file upload
CWE‑669 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑669 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑669 C# cs/insecure-xml-read XML is read insecurely
CWE‑669 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑669 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑669 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑669 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑669 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑669 JavaScript js/xxe XML external entity expansion
CWE‑669 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑669 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑669 JavaScript js/http-to-file-access Network data written to file
CWE‑669 Python py/xxe XML external entity expansion
CWE‑669 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑669 Default rb/xxe XML external entity expansion
CWE‑669 Default rb/insecure-download Download of sensitive file through insecure connection
CWE‑669 Default rb/http-to-file-access Network data written to file
CWE‑670 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑670 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑670 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑670 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑670 C++ cpp/unsafe-use-of-this Unsafe use of this in constructor
CWE‑670 C++ cpp/dangerous-use-of-ssl-shutdown Dangerous use SSL_shutdown.
CWE‑670 C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE‑670 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑670 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑670 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑670 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑670 Java java/switch-fall-through Unterminated switch case
CWE‑670 JavaScript js/useless-expression Expression has no effect
CWE‑670 JavaScript js/redundant-operation Identical operands
CWE‑670 JavaScript js/redundant-assignment Self assignment
CWE‑670 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑670 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑670 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑670 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑670 Python py/asserts-tuple Asserting a tuple
CWE‑670 Default go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 Default go/useless-expression Expression has no effect
CWE‑670 Default go/redundant-operation Identical operands
CWE‑670 Default go/redundant-assignment Self assignment
CWE‑671 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑671 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑671 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑671 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑671 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑671 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑671 Java java/hardcoded-password-field Hard-coded password field
CWE‑671 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑671 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑671 Python py/hardcoded-credentials Hard-coded credentials
CWE‑671 Default go/hardcoded-credentials Hard-coded credentials
CWE‑671 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑671 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑672 C++ cpp/use-after-free Potential use after free
CWE‑672 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑672 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑672 C++ cpp/double-free Errors When Double Free
CWE‑672 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑674 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑674 C# cs/insecure-xml-read XML is read insecurely
CWE‑674 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑674 JavaScript js/xml-bomb XML internal entity expansion
CWE‑674 Python py/xml-bomb XML internal entity expansion
CWE‑674 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer DoS vulnerability
CWE‑674 Default rb/xxe XML external entity expansion
CWE‑675 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑675 C++ cpp/twice-locked Mutex locked twice
CWE‑675 C++ cpp/unreleased-lock Lock may not be released
CWE‑675 C++ cpp/double-free Errors When Double Free
CWE‑675 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑675 C++ cpp/double-release Errors When Double Release
CWE‑675 Java java/unreleased-lock Unreleased lock
CWE‑676 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑676 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑676 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑676 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑676 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑676 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑676 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑676 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑676 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑676 JavaScript js/eval-call Use of eval
CWE‑681 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑681 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑681 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑681 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑681 C# cs/loss-of-precision Possible loss of precision
CWE‑681 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑681 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑681 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑681 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑681 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑681 JavaScript js/shift-out-of-range Shift out of range
CWE‑681 Default go/shift-out-of-range Shift out of range
CWE‑681 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑682 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑682 C++ cpp/overflow-destination Copy function using source size
CWE‑682 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑682 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑682 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑682 C++ cpp/ambiguously-signed-bit-field Ambiguously signed bit-field member
CWE‑682 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑682 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑682 C++ cpp/signed-overflow-check Signed overflow check
CWE‑682 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑682 C++ cpp/suspicious-sizeof Suspicious 'sizeof' use
CWE‑682 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑682 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑682 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑682 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑682 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑682 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑682 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑682 C++ cpp/unsigned-difference-expression-compared-zero Unsigned difference expression compared to zero
CWE‑682 C++ cpp/suspicious-pointer-scaling Suspicious pointer scaling
CWE‑682 C++ cpp/incorrect-pointer-scaling-char Suspicious pointer scaling to char
CWE‑682 C++ cpp/suspicious-pointer-scaling-void Suspicious pointer scaling to void
CWE‑682 C++ cpp/suspicious-add-sizeof Suspicious add with sizeof
CWE‑682 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑682 C++ cpp/dangerous-use-of-transformation-after-operation Dangerous use of transformation after operation.
CWE‑682 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑682 C++ cpp/signed-bit-field Possible signed bit-field member
CWE‑682 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE‑682 C# cs/loss-of-precision Possible loss of precision
CWE‑682 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑682 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑682 Java java/index-out-of-bounds Array index out of bounds
CWE‑682 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑682 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑682 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑682 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑682 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑682 JavaScript js/index-out-of-bounds Off-by-one comparison against length
CWE‑682 Default go/index-out-of-bounds Off-by-one comparison against length
CWE‑682 Default go/allocation-size-overflow Size computation for allocation may overflow
CWE‑682 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑682 Default go/divide-by-zero Divide by zero
CWE‑684 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑684 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑685 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑685 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑685 Java java/missing-format-argument Missing format argument
CWE‑685 Java java/unused-format-argument Unused format argument
CWE‑685 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑685 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑685 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑685 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑686 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑687 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑687 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑691 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑691 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑691 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑691 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑691 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 C++ cpp/unsafe-use-of-this Unsafe use of this in constructor
CWE‑691 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑691 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑691 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑691 C++ cpp/twice-locked Mutex locked twice
CWE‑691 C++ cpp/unreleased-lock Lock may not be released
CWE‑691 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑691 C++ cpp/linux-kernel-double-fetch-vulnerability Linux kernel double-fetch vulnerability detection
CWE‑691 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑691 C++ cpp/dangerous-use-of-ssl-shutdown Dangerous use SSL_shutdown.
CWE‑691 C++ cpp/errors-after-refactoring Errors After Refactoring
CWE‑691 C++ cpp/errors-when-using-bit-operations Errors When Using Bit Operations
CWE‑691 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑691 C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE‑691 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑691 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑691 C# cs/constant-condition Constant condition
CWE‑691 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑691 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑691 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑691 C# cs/locked-wait A lock is held during a wait
CWE‑691 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑691 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑691 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑691 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑691 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑691 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE‑691 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE‑691 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE‑691 C# cs/code-injection Improper control of generation of code
CWE‑691 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑691 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑691 C# cs/insecure-xml-read XML is read insecurely
CWE‑691 Java java/ejb/container-interference EJB interferes with container operation
CWE‑691 Java java/ejb/synchronization EJB uses synchronization
CWE‑691 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑691 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑691 Java java/wait-on-condition-interface Wait on condition
CWE‑691 Java java/call-to-thread-run Direct call to a run() method
CWE‑691 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑691 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑691 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑691 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑691 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑691 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑691 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑691 Java java/sleep-with-lock-held Sleep with lock held
CWE‑691 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑691 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑691 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑691 Java java/unreleased-lock Unreleased lock
CWE‑691 Java java/wait-with-two-locks Wait with two locks held
CWE‑691 Java java/non-short-circuit-evaluation Dangerous non-short-circuit logic
CWE‑691 Java java/constant-loop-condition Constant loop condition
CWE‑691 Java java/groovy-injection Groovy Language injection
CWE‑691 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑691 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑691 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑691 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑691 Java java/server-side-template-injection Server-side template injection
CWE‑691 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑691 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑691 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑691 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑691 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑691 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑691 Java java/switch-fall-through Unterminated switch case
CWE‑691 Java java/overly-general-catch Overly-general catch clause
CWE‑691 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑691 Java java/jvm-exit Forcible JVM termination
CWE‑691 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑691 Java java/beanshell-injection BeanShell injection
CWE‑691 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑691 Java java/jshell-injection JShell injection
CWE‑691 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑691 Java java/jython-injection Injection in Jython
CWE‑691 Java java/unsafe-eval Injection in Java Script Engine
CWE‑691 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑691 Java java/spring-view-manipulation Spring View Manipulation
CWE‑691 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑691 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑691 JavaScript js/useless-expression Expression has no effect
CWE‑691 JavaScript js/redundant-operation Identical operands
CWE‑691 JavaScript js/redundant-assignment Self assignment
CWE‑691 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑691 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑691 JavaScript js/exit-from-finally Jump from finally
CWE‑691 JavaScript js/template-object-injection Template Object Injection
CWE‑691 JavaScript js/code-injection Code injection
CWE‑691 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑691 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑691 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑691 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑691 JavaScript js/file-system-race Potential file system race condition
CWE‑691 JavaScript js/server-crash Server crash
CWE‑691 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑691 JavaScript js/xml-bomb XML internal entity expansion
CWE‑691 JavaScript js/loop-bound-injection Loop bound injection
CWE‑691 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑691 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑691 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑691 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑691 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑691 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑691 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑691 Python py/code-injection Code injection
CWE‑691 Python py/xml-bomb XML internal entity expansion
CWE‑691 Python py/asserts-tuple Asserting a tuple
CWE‑691 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑691 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer DoS vulnerability
CWE‑691 Default go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 Default go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 Default go/useless-expression Expression has no effect
CWE‑691 Default go/redundant-operation Identical operands
CWE‑691 Default go/redundant-assignment Self assignment
CWE‑691 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑691 Default rb/code-injection Code injection
CWE‑691 Default rb/xxe XML external entity expansion
CWE‑693 C++ cpp/boost/tls-settings-misconfiguration Boost_asio TLS Settings Misconfiguration
CWE‑693 C++ cpp/boost/use-of-deprecated-hardcoded-security-protocol boost::asio Use of deprecated hardcoded Protocol
CWE‑693 C++ cpp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 C++ cpp/count-untrusted-data-external-api-ir Frequency counts for external APIs that are used with untrusted data
CWE‑693 C++ cpp/untrusted-data-to-external-api-ir Untrusted data passed to external API
CWE‑693 C++ cpp/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑693 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑693 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑693 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑693 C++ cpp/certificate-result-conflation Certificate result conflation
CWE‑693 C++ cpp/certificate-not-checked Certificate not checked
CWE‑693 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑693 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑693 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑693 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑693 C++ cpp/non-https-url Failure to use HTTPS URLs
CWE‑693 C++ cpp/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE‑693 C++ cpp/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑693 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑693 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑693 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑693 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑693 C++ cpp/tainted-permissions-check Untrusted input for a condition
CWE‑693 C++ cpp/late-check-of-function-argument Late Check Of Function Argument
CWE‑693 C++ cpp/linux-kernel-no-check-before-unsafe-put-user Linux kernel no check before unsafe_put_user vulnerability detection
CWE‑693 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑693 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑693 C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE‑693 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑693 C# cs/password-in-configuration Password in configuration file
CWE‑693 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 C# cs/serialization-check-bypass Serialization check bypass
CWE‑693 C# cs/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 C# cs/xml/missing-validation Missing XML validation
CWE‑693 C# cs/assembly-path-injection Assembly path injection
CWE‑693 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑693 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑693 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE‑693 C# cs/insecure-sql-connection Insecure SQL connection
CWE‑693 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑693 C# cs/session-reuse Failure to abandon session
CWE‑693 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑693 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑693 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑693 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑693 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑693 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑693 C# cs/ecb-encryption Encryption using ECB
CWE‑693 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑693 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE‑693 C# cs/weak-encryption Weak encryption
CWE‑693 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE‑693 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE‑693 Java java/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Java java/overly-large-range Overly permissive regular expression range
CWE‑693 Java java/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑693 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑693 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑693 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑693 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑693 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑693 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑693 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑693 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑693 Java java/improper-webview-certificate-validation Android WebView that accepts all certificates
CWE‑693 Java java/insecure-trustmanager TrustManager that accepts all certificates
CWE‑693 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑693 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑693 Java java/android/backup-enabled Application backup allowed
CWE‑693 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑693 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑693 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑693 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑693 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑693 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑693 Java java/non-https-url Failure to use HTTPS URLs
CWE‑693 Java java/non-ssl-connection Failure to use SSL
CWE‑693 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑693 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑693 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑693 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑693 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑693 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑693 Java java/insecure-basic-auth Insecure basic authentication
CWE‑693 Java java/insecure-cookie Failure to use secure cookies
CWE‑693 Java java/world-writable-file-read Reading from a world writable file
CWE‑693 Java java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE‑693 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑693 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑693 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑693 Java java/hardcoded-password-field Hard-coded password field
CWE‑693 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑693 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑693 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑693 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑693 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑693 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑693 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑693 Java java/android/intent-redirection Android Intent redirection
CWE‑693 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑693 Java java/jxbrowser/disabled-certificate-validation JxBrowser with disabled certificate validation
CWE‑693 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑693 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑693 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑693 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑693 Java java/insufficient-key-size Weak encryption: Insufficient key size
CWE‑693 Java java/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE‑693 Java java/unsafe-tls-version Unsafe TLS version
CWE‑693 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑693 Java java/ip-address-spoofing IP address spoofing
CWE‑693 Java java/jsonp-injection JSONP Injection
CWE‑693 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑693 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑693 Java java/password-in-configuration Password in configuration file
CWE‑693 Java java/hash-without-salt Use of a hash function without a salt
CWE‑693 Java java/incorrect-url-verification Incorrect URL verification
CWE‑693 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑693 JavaScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 JavaScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑693 JavaScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 JavaScript js/incorrect-suffix-check Incorrect suffix check
CWE‑693 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑693 JavaScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 JavaScript js/overly-large-range Overly permissive regular expression range
CWE‑693 JavaScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 JavaScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE‑693 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑693 JavaScript js/double-escaping Double escaping or unescaping
CWE‑693 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑693 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑693 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑693 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑693 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑693 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑693 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑693 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑693 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑693 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑693 JavaScript js/insufficient-key-size Use of a weak cryptographic key
CWE‑693 JavaScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source.
CWE‑693 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑693 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑693 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑693 JavaScript js/session-fixation Failure to abandon session
CWE‑693 JavaScript js/remote-property-injection Remote property injection
CWE‑693 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑693 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑693 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑693 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑693 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑693 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑693 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑693 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑693 Python py/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Python py/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Python py/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Python py/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 Python py/overly-large-range Overly permissive regular expression range
CWE‑693 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑693 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑693 Python py/paramiko-missing-host-key-validation Accepting unknown SSH host keys when using Paramiko
CWE‑693 Python py/request-without-cert-validation Request without certificate validation
CWE‑693 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑693 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑693 Python py/weak-crypto-key Use of weak cryptographic key
CWE‑693 Python py/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 Python py/insecure-default-protocol Default version of SSL/TLS may be insecure
CWE‑693 Python py/insecure-protocol Use of insecure SSL/TLS version
CWE‑693 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑693 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑693 Python py/overly-permissive-file Overly permissive file permissions
CWE‑693 Python py/hardcoded-credentials Hard-coded credentials
CWE‑693 Python py/improper-ldap-auth Improper LDAP Authentication
CWE‑693 Python py/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption.
CWE‑693 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE‑693 Python py/ip-address-spoofing IP address spoofing
CWE‑693 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑693 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE‑693 Python py/insecure-cookie Failure to use secure cookies
CWE‑693 Default go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Default go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Default go/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑693 Default go/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 Default go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE‑693 Default go/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Default go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE‑693 Default go/disabled-certificate-check Disabled TLS certificate check
CWE‑693 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑693 Default go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑693 Default go/weak-crypto-key Use of a weak cryptographic key
CWE‑693 Default go/insecure-tls Insecure TLS configuration
CWE‑693 Default go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑693 Default go/email-injection Email content injection
CWE‑693 Default go/hardcoded-credentials Hard-coded credentials
CWE‑693 Default go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑693 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑693 Default go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑693 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑693 Default go/cors-misconfiguration CORS misconfiguration
CWE‑693 Default rb/user-controlled-bypass User-controlled bypass of security check
CWE‑693 Default rb/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Default rb/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 Default rb/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 Default rb/overly-large-range Overly permissive regular expression range
CWE‑693 Default rb/bad-tag-filter Bad HTML filtering regexp
CWE‑693 Default rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑693 Default rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑693 Default rb/request-without-cert-validation Request without certificate validation
CWE‑693 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑693 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑693 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑693 Default rb/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 Default rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑693 Default rb/weak-cookie-configuration Weak cookie configuration
CWE‑693 Default rb/overly-permissive-file Overly permissive file permissions
CWE‑693 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑695 Java java/ejb/file-io EJB uses file input/output
CWE‑695 Java java/ejb/graphics EJB uses graphics
CWE‑695 Java java/ejb/synchronization EJB uses synchronization
CWE‑695 Java java/ejb/threads EJB uses threads
CWE‑697 C++ cpp/missing-case-in-switch Missing enum case in switch
CWE‑697 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑697 C# cs/class-name-comparison Erroneous class compare
CWE‑697 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE‑697 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE‑697 Java java/missing-default-in-switch Missing default case in switch
CWE‑697 Java java/reference-equality-with-object Reference equality test on java.lang.Object
CWE‑697 Java java/reference-equality-of-boxed-types Reference equality test of boxed types
CWE‑697 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑697 Java java/missing-case-in-switch Missing enum case in switch
CWE‑697 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑697 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑697 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑697 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑697 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑697 Default go/cors-misconfiguration CORS misconfiguration
CWE‑697 Default rb/bad-tag-filter Bad HTML filtering regexp
CWE‑703 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑703 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑703 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑703 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑703 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑703 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑703 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑703 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑703 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑703 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑703 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑703 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑703 C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE‑703 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑703 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑703 C# cs/unchecked-return-value Unchecked return value
CWE‑703 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑703 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑703 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑703 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑703 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑703 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑703 Java java/return-value-ignored Method result ignored
CWE‑703 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑703 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑703 Java java/discarded-exception Discarded exception
CWE‑703 Java java/overly-general-catch Overly-general catch clause
CWE‑703 Java java/ignored-error-status-of-call Ignored error status of call
CWE‑703 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑703 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑703 Java java/android/nfe-local-android-dos Local Android DoS Caused By NumberFormatException
CWE‑703 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑703 JavaScript js/server-crash Server crash
CWE‑703 JavaScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE‑703 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑703 Python py/empty-except Empty except
CWE‑703 Python py/ignored-return-value Ignored return value
CWE‑703 Python py/stack-trace-exposure Information exposure through an exception
CWE‑703 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑704 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑704 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑704 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑704 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑704 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑704 C++ cpp/incorrect-string-type-conversion Cast from char to wchar_t
CWE‑704 C# cs/loss-of-precision Possible loss of precision
CWE‑704 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑704 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑704 Java java/impossible-array-cast Impossible array cast
CWE‑704 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑704 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑704 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑704 JavaScript js/implicit-operand-conversion Implicit operand conversion
CWE‑704 JavaScript js/shift-out-of-range Shift out of range
CWE‑704 JavaScript js/invalid-prototype-value Invalid prototype value
CWE‑704 JavaScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE‑704 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑704 Default go/shift-out-of-range Shift out of range
CWE‑704 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑705 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑705 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑705 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑705 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑705 Java java/ejb/container-interference EJB interferes with container operation
CWE‑705 Java java/overly-general-catch Overly-general catch clause
CWE‑705 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑705 Java java/jvm-exit Forcible JVM termination
CWE‑705 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑705 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑705 JavaScript js/exit-from-finally Jump from finally
CWE‑705 JavaScript js/server-crash Server crash
CWE‑705 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑705 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑706 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑706 C# cs/path-injection Uncontrolled data used in path expression
CWE‑706 C# cs/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑706 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑706 C# cs/insecure-xml-read XML is read insecurely
CWE‑706 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑706 Java java/path-injection Uncontrolled data used in path expression
CWE‑706 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑706 Java java/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑706 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑706 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑706 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑706 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑706 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑706 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑706 JavaScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE‑706 JavaScript js/xxe XML external entity expansion
CWE‑706 Python py/path-injection Uncontrolled data used in path expression
CWE‑706 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑706 Python py/xxe XML external entity expansion
CWE‑706 Python py/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑706 Default go/path-injection Uncontrolled data used in path expression
CWE‑706 Default go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑706 Default go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑706 Default rb/path-injection Uncontrolled data used in path expression
CWE‑706 Default rb/xxe XML external entity expansion
CWE‑707 C++ cpp/non-constant-format Non-constant format string
CWE‑707 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑707 C++ cpp/improper-null-termination Potential improper null termination
CWE‑707 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑707 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑707 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑707 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑707 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑707 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑707 C++ cpp/user-controlled-null-termination-tainted User-controlled data may not be null terminated
CWE‑707 C# cs/path-injection Uncontrolled data used in path expression
CWE‑707 C# cs/command-line-injection Uncontrolled command line
CWE‑707 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑707 C# cs/web/stored-xss Stored cross-site scripting
CWE‑707 C# cs/web/xss Cross-site scripting
CWE‑707 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑707 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑707 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑707 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑707 C# cs/xml-injection XML injection
CWE‑707 C# cs/code-injection Improper control of generation of code
CWE‑707 C# cs/resource-injection Resource injection
CWE‑707 C# cs/log-forging Log entries created from user input
CWE‑707 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑707 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑707 C# cs/xml/xpath-injection XPath injection
CWE‑707 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑707 C# cs/web/disabled-header-checking Header checking disabled
CWE‑707 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑707 Java java/jndi-injection JNDI lookup with user-controlled name
CWE‑707 Java java/xslt-injection XSLT transformation with user-controlled stylesheet
CWE‑707 Java java/relative-path-command Executing a command with a relative path
CWE‑707 Java java/command-line-injection Uncontrolled command line
CWE‑707 Java java/command-line-injection-local Local-user-controlled command line
CWE‑707 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑707 Java java/xss Cross-site scripting
CWE‑707 Java java/xss-local Cross-site scripting from local source
CWE‑707 Java java/sql-injection Query built from user-controlled sources
CWE‑707 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑707 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑707 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑707 Java java/groovy-injection Groovy Language injection
CWE‑707 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑707 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑707 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑707 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑707 Java java/server-side-template-injection Server-side template injection
CWE‑707 Java java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE‑707 Java java/http-response-splitting HTTP response splitting
CWE‑707 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑707 Java java/log-injection Log Injection
CWE‑707 Java java/tainted-format-string Use of externally-controlled format string
CWE‑707 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑707 Java java/xml/xpath-injection XPath injection
CWE‑707 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑707 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑707 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑707 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑707 Java java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE‑707 Java java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE‑707 Java java/beanshell-injection BeanShell injection
CWE‑707 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑707 Java java/jshell-injection JShell injection
CWE‑707 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑707 Java java/jython-injection Injection in Jython
CWE‑707 Java java/unsafe-eval Injection in Java Script Engine
CWE‑707 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑707 Java java/spring-view-manipulation Spring View Manipulation
CWE‑707 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑707 JavaScript js/angular/disabling-sce Disabling SCE
CWE‑707 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑707 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑707 JavaScript js/identity-replacement Replacement of a substring with itself
CWE‑707 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑707 JavaScript js/template-object-injection Template Object Injection
CWE‑707 JavaScript js/command-line-injection Uncontrolled command line
CWE‑707 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑707 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑707 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑707 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑707 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑707 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑707 JavaScript js/stored-xss Stored cross-site scripting
CWE‑707 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑707 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑707 JavaScript js/xss Client-side cross-site scripting
CWE‑707 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑707 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑707 JavaScript js/code-injection Code injection
CWE‑707 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑707 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑707 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑707 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑707 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑707 JavaScript js/double-escaping Double escaping or unescaping
CWE‑707 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑707 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑707 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑707 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑707 JavaScript js/log-injection Log injection
CWE‑707 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑707 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑707 JavaScript js/xpath-injection XPath injection
CWE‑707 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑707 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑707 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑707 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑707 Python py/path-injection Uncontrolled data used in path expression
CWE‑707 Python py/command-line-injection Uncontrolled command line
CWE‑707 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑707 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑707 Python py/sql-injection SQL query built from user-controlled sources
CWE‑707 Python py/ldap-injection LDAP query built from user-controlled sources
CWE‑707 Python py/code-injection Code injection
CWE‑707 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑707 Python py/log-injection Log Injection
CWE‑707 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑707 Python py/template-injection Server Side Template Injection
CWE‑707 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑707 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑707 Python py/header-injection HTTP Header Injection
CWE‑707 Python py/nosql-injection NoSQL Injection
CWE‑707 Default go/path-injection Uncontrolled data used in path expression
CWE‑707 Default go/command-injection Command built from user-controlled sources
CWE‑707 Default go/stored-command Command built from stored data
CWE‑707 Default go/reflected-xss Reflected cross-site scripting
CWE‑707 Default go/stored-xss Stored cross-site scripting
CWE‑707 Default go/sql-injection Database query built from user-controlled sources
CWE‑707 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑707 Default go/log-injection Log entries created from user input
CWE‑707 Default go/xml/xpath-injection XPath injection
CWE‑707 Default go/ldap-injection LDAP query built from user-controlled sources
CWE‑707 Default go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑707 Default rb/path-injection Uncontrolled data used in path expression
CWE‑707 Default rb/command-line-injection Uncontrolled command line
CWE‑707 Default rb/kernel-open Use of Kernel.open or IO.read
CWE‑707 Default rb/reflected-xss Reflected server-side cross-site scripting
CWE‑707 Default rb/stored-xss Stored cross-site scripting
CWE‑707 Default rb/sql-injection SQL query built from user-controlled sources
CWE‑707 Default rb/code-injection Code injection
CWE‑707 Default rb/bad-tag-filter Bad HTML filtering regexp
CWE‑707 Default rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑707 Default rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑707 Default rb/log-injection Log injection
CWE‑707 Default rb/tainted-format-string Use of externally-controlled format string
CWE‑710 C++ cpp/unused-local-variable Unused local variable
CWE‑710 C++ cpp/unused-static-function Unused static function
CWE‑710 C++ cpp/unused-static-variable Unused static variable
CWE‑710 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑710 C++ cpp/dead-code-function Function is never called
CWE‑710 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑710 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑710 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑710 C++ cpp/missing-null-test Returned pointer not checked
CWE‑710 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑710 C++ cpp/fixme-comment FIXME comment
CWE‑710 C++ cpp/todo-comment TODO comment
CWE‑710 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑710 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑710 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑710 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑710 C++ cpp/useless-expression Expression has no effect
CWE‑710 C++ cpp/pointer-overflow-check Pointer overflow check
CWE‑710 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑710 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑710 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑710 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑710 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑710 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑710 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑710 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑710 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑710 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑710 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑710 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑710 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑710 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑710 C++ cpp/twice-locked Mutex locked twice
CWE‑710 C++ cpp/unreleased-lock Lock may not be released
CWE‑710 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑710 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑710 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑710 C++ cpp/double-free Errors When Double Free
CWE‑710 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑710 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑710 C++ cpp/double-release Errors When Double Release
CWE‑710 C++ cpp/errors-of-undefined-program-behavior Errors Of Undefined Program Behavior
CWE‑710 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑710 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑710 C# cs/todo-comment TODO comment
CWE‑710 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑710 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑710 C# cs/unused-reftype Dead reference types
CWE‑710 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑710 C# cs/unused-field Unused field
CWE‑710 C# cs/unused-method Unused method
CWE‑710 C# cs/captured-foreach-variable Capturing a foreach variable
CWE‑710 C# cs/useless-cast-to-self Cast to same type
CWE‑710 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑710 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑710 C# cs/useless-type-test Useless type test
CWE‑710 C# cs/useless-upcast Useless upcast
CWE‑710 C# cs/empty-collection Container contents are never initialized
CWE‑710 C# cs/unused-collection Container contents are never accessed
CWE‑710 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑710 C# cs/empty-lock-statement Empty lock statement
CWE‑710 C# cs/linq/useless-select Redundant Select
CWE‑710 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑710 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑710 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑710 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑710 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑710 Java java/dead-class Dead class
CWE‑710 Java java/dead-enum-constant Dead enum constant
CWE‑710 Java java/dead-field Dead field
CWE‑710 Java java/dead-function Dead method
CWE‑710 Java java/lines-of-dead-code Lines of dead code in files
CWE‑710 Java java/unused-parameter Useless parameter
CWE‑710 Java java/ejb/container-interference EJB interferes with container operation
CWE‑710 Java java/ejb/file-io EJB uses file input/output
CWE‑710 Java java/ejb/graphics EJB uses graphics
CWE‑710 Java java/ejb/native-code EJB uses native code
CWE‑710 Java java/ejb/reflection EJB uses reflection
CWE‑710 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑710 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑710 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑710 Java java/ejb/server-socket EJB uses server socket
CWE‑710 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑710 Java java/ejb/synchronization EJB uses synchronization
CWE‑710 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑710 Java java/ejb/threads EJB uses threads
CWE‑710 Java java/useless-null-check Useless null check
CWE‑710 Java java/useless-type-test Useless type test
CWE‑710 Java java/useless-upcast Useless upcast
CWE‑710 Java java/missing-call-to-super-clone Missing super clone
CWE‑710 Java java/empty-container Container contents are never initialized
CWE‑710 Java java/unused-container Container contents are never accessed
CWE‑710 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑710 Java java/constant-comparison Useless comparison test
CWE‑710 Java java/unreleased-lock Unreleased lock
CWE‑710 Java java/missing-super-finalize Finalizer inconsistency
CWE‑710 Java java/missing-format-argument Missing format argument
CWE‑710 Java java/unused-format-argument Unused format argument
CWE‑710 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑710 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑710 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑710 Java java/empty-synchronized-block Empty synchronized block
CWE‑710 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑710 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑710 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑710 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑710 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑710 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑710 Java java/hardcoded-password-field Hard-coded password field
CWE‑710 Java java/todo-comment TODO/FIXME comments
CWE‑710 Java java/unused-reference-type Unused classes and interfaces
CWE‑710 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑710 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Java java/empty-finalizer Empty body of finalizer
CWE‑710 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑710 Java java/local-variable-is-never-read Unread local variable
CWE‑710 Java java/unused-field Unused field
CWE‑710 Java java/unused-label Unused label
CWE‑710 Java java/unused-local-variable Unused local variable
CWE‑710 Java java/switch-fall-through Unterminated switch case
CWE‑710 Java java/redundant-cast Unnecessary cast
CWE‑710 Java java/unused-import Unnecessary import
CWE‑710 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑710 JavaScript js/todo-comment TODO comment
CWE‑710 JavaScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE‑710 JavaScript js/malformed-html-id Malformed id attribute
CWE‑710 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑710 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑710 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑710 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑710 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑710 JavaScript js/overwritten-property Overwritten property
CWE‑710 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑710 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑710 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑710 JavaScript js/duplicate-property Duplicate property
CWE‑710 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑710 JavaScript js/useless-expression Expression has no effect
CWE‑710 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑710 JavaScript js/redundant-operation Identical operands
CWE‑710 JavaScript js/redundant-assignment Self assignment
CWE‑710 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑710 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑710 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑710 JavaScript js/useless-type-test Useless type test
CWE‑710 JavaScript js/conditional-comment Conditional comments
CWE‑710 JavaScript js/eval-call Use of eval
CWE‑710 JavaScript js/non-standard-language-feature Use of platform-specific language features
CWE‑710 JavaScript js/for-in-comprehension Use of for-in comprehension blocks
CWE‑710 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑710 JavaScript js/yield-outside-generator Yield in non-generator function
CWE‑710 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑710 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑710 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑710 JavaScript js/remote-property-injection Remote property injection
CWE‑710 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑710 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑710 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑710 JavaScript js/http-to-file-access Network data written to file
CWE‑710 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑710 JavaScript js/unreachable-statement Unreachable statement
CWE‑710 JavaScript js/trivial-conditional Useless conditional
CWE‑710 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑710 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑710 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑710 Python py/unreachable-except Unreachable 'except' block
CWE‑710 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑710 Python py/comparison-of-constants Comparison of constants
CWE‑710 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑710 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑710 Python py/redundant-comparison Redundant comparison
CWE‑710 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑710 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑710 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑710 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑710 Python py/import-deprecated-module Import of deprecated module
CWE‑710 Python py/hardcoded-credentials Hard-coded credentials
CWE‑710 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑710 Python py/redundant-assignment Redundant assignment
CWE‑710 Python py/ineffectual-statement Statement has no effect
CWE‑710 Python py/unreachable-statement Unreachable code
CWE‑710 Python py/multiple-definition Variable defined multiple times
CWE‑710 Python py/unused-local-variable Unused local variable
CWE‑710 Python py/unused-global-variable Unused global variable
CWE‑710 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑710 Default go/useless-assignment-to-field Useless assignment to field
CWE‑710 Default go/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Default go/duplicate-branches Duplicate 'if' branches
CWE‑710 Default go/duplicate-condition Duplicate 'if' condition
CWE‑710 Default go/duplicate-switch-case Duplicate switch case
CWE‑710 Default go/useless-expression Expression has no effect
CWE‑710 Default go/redundant-operation Identical operands
CWE‑710 Default go/redundant-assignment Self assignment
CWE‑710 Default go/unreachable-statement Unreachable statement
CWE‑710 Default go/hardcoded-credentials Hard-coded credentials
CWE‑710 Default go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑710 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑710 Default rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑710 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑710 Default rb/http-to-file-access Network data written to file
CWE‑710 Default rb/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Default rb/unused-parameter Unused parameter.
CWE‑732 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑732 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑732 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑732 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑732 Java java/world-writable-file-read Reading from a world writable file
CWE‑732 Python py/overly-permissive-file Overly permissive file permissions
CWE‑732 Default rb/weak-cookie-configuration Weak cookie configuration
CWE‑732 Default rb/overly-permissive-file Overly permissive file permissions
CWE‑733 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑749 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑754 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑754 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑754 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑754 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑754 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑754 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑754 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑754 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑754 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑754 C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE‑754 C# cs/unchecked-return-value Unchecked return value
CWE‑754 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑754 Java java/return-value-ignored Method result ignored
CWE‑754 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑754 JavaScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE‑754 Python py/ignored-return-value Ignored return value
CWE‑755 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑755 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑755 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑755 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑755 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑755 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑755 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑755 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑755 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑755 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑755 Java java/overly-general-catch Overly-general catch clause
CWE‑755 Java java/android/nfe-local-android-dos Local Android DoS Caused By NumberFormatException
CWE‑755 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑755 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑755 Python py/empty-except Empty except
CWE‑755 Python py/stack-trace-exposure Information exposure through an exception
CWE‑755 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑756 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑758 C++ cpp/pointer-overflow-check Pointer overflow check
CWE‑758 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑758 C++ cpp/errors-of-undefined-program-behavior Errors Of Undefined Program Behavior
CWE‑758 C# cs/captured-foreach-variable Capturing a foreach variable
CWE‑758 JavaScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE‑758 JavaScript js/malformed-html-id Malformed id attribute
CWE‑758 JavaScript js/conditional-comment Conditional comments
CWE‑758 JavaScript js/non-standard-language-feature Use of platform-specific language features
CWE‑758 JavaScript js/for-in-comprehension Use of for-in comprehension blocks
CWE‑758 JavaScript js/yield-outside-generator Yield in non-generator function
CWE‑759 Java java/hash-without-salt Use of a hash function without a salt
CWE‑764 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑764 C++ cpp/twice-locked Mutex locked twice
CWE‑764 C++ cpp/unreleased-lock Lock may not be released
CWE‑764 Java java/unreleased-lock Unreleased lock
CWE‑770 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑770 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑770 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑770 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑772 C++ cpp/catch-missing-free Leaky catch
CWE‑772 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑772 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑772 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑772 C++ cpp/file-never-closed Open file is not closed
CWE‑772 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑772 C++ cpp/memory-never-freed Memory is never freed
CWE‑772 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑772 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑772 Java java/input-resource-leak Potential input resource leak
CWE‑772 Java java/database-resource-leak Potential database resource leak
CWE‑772 Java java/output-resource-leak Potential output resource leak
CWE‑772 Python py/file-not-closed File is not always closed
CWE‑775 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑775 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑775 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑775 C++ cpp/file-never-closed Open file is not closed
CWE‑776 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑776 C# cs/insecure-xml-read XML is read insecurely
CWE‑776 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑776 JavaScript js/xml-bomb XML internal entity expansion
CWE‑776 Python py/xml-bomb XML internal entity expansion
CWE‑776 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer DoS vulnerability
CWE‑776 Default rb/xxe XML external entity expansion
CWE‑780 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑780 Java java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE‑783 C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE‑783 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑783 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑783 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑783 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑783 Default go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑787 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑787 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑787 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑787 C++ cpp/badly-bounded-write Badly bounded write
CWE‑787 C++ cpp/overrunning-write Potentially overrunning write
CWE‑787 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑787 C++ cpp/unbounded-write Unbounded write
CWE‑787 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑787 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑787 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑787 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑787 C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE‑787 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑788 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑788 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑788 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑788 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑788 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑788 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑788 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑788 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑788 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑788 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑789 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑798 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑798 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑798 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑798 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑798 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑798 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑798 Java java/hardcoded-password-field Hard-coded password field
CWE‑798 Java java/hardcoded-jwt-key Use of a hardcoded key for signing JWT
CWE‑798 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑798 Python py/hardcoded-credentials Hard-coded credentials
CWE‑798 Default go/hardcoded-credentials Hard-coded credentials
CWE‑798 Default go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑798 Default rb/hardcoded-credentials Hard-coded credentials
CWE‑799 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑805 C++ cpp/badly-bounded-write Badly bounded write
CWE‑805 C++ cpp/overrunning-write Potentially overrunning write
CWE‑805 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑805 C++ cpp/unbounded-write Unbounded write
CWE‑805 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑807 C++ cpp/tainted-permissions-check Untrusted input for a condition
CWE‑807 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑807 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑807 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑807 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑807 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑807 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑807 Default rb/user-controlled-bypass User-controlled bypass of security check
CWE‑820 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑820 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑820 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑821 Java java/ejb/synchronization EJB uses synchronization
CWE‑821 Java java/call-to-thread-run Direct call to a run() method
CWE‑823 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑823 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑825 C++ cpp/use-after-free Potential use after free
CWE‑825 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑825 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑825 C++ cpp/double-free Errors When Double Free
CWE‑825 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑826 C++ cpp/self-assignment-check Self assignment check
CWE‑827 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑827 C# cs/insecure-xml-read XML is read insecurely
CWE‑827 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑827 JavaScript js/xxe XML external entity expansion
CWE‑827 Python py/xxe XML external entity expansion
CWE‑827 Default rb/xxe XML external entity expansion
CWE‑829 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑829 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑829 C# cs/insecure-xml-read XML is read insecurely
CWE‑829 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑829 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑829 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑829 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑829 JavaScript js/xxe XML external entity expansion
CWE‑829 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑829 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑829 Python py/xxe XML external entity expansion
CWE‑829 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑829 Default rb/xxe XML external entity expansion
CWE‑829 Default rb/insecure-download Download of sensitive file through insecure connection
CWE‑830 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑833 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑833 C++ cpp/twice-locked Mutex locked twice
CWE‑833 C++ cpp/unreleased-lock Lock may not be released
CWE‑833 C# cs/locked-wait A lock is held during a wait
CWE‑833 Java java/sleep-with-lock-held Sleep with lock held
CWE‑833 Java java/unreleased-lock Unreleased lock
CWE‑833 Java java/wait-with-two-locks Wait with two locks held
CWE‑833 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑834 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑834 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑834 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑834 C# cs/constant-condition Constant condition
CWE‑834 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE‑834 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑834 C# cs/insecure-xml-read XML is read insecurely
CWE‑834 Java java/constant-loop-condition Constant loop condition
CWE‑834 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑834 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑834 JavaScript js/xml-bomb XML internal entity expansion
CWE‑834 JavaScript js/loop-bound-injection Loop bound injection
CWE‑834 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑834 Python py/xml-bomb XML internal entity expansion
CWE‑834 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer DoS vulnerability
CWE‑834 Default go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑834 Default rb/xxe XML external entity expansion
CWE‑835 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑835 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑835 C# cs/constant-condition Constant condition
CWE‑835 Java java/constant-loop-condition Constant loop condition
CWE‑835 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑835 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 Default go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑838 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑843 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑843 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑862 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑862 Java java/incorrect-url-verification Incorrect URL verification
CWE‑862 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑862 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑908 C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE‑909 C++ cpp/initialization-not-run Initialization code not run
CWE‑912 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑912 JavaScript js/http-to-file-access Network data written to file
CWE‑912 Default rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑912 Default rb/http-to-file-access Network data written to file
CWE‑913 C# cs/code-injection Improper control of generation of code
CWE‑913 C# cs/deserialized-delegate Deserialized delegate
CWE‑913 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑913 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑913 Java java/groovy-injection Groovy Language injection
CWE‑913 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑913 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑913 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑913 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑913 Java java/server-side-template-injection Server-side template injection
CWE‑913 Java java/android/fragment-injection Android fragment injection
CWE‑913 Java java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE‑913 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑913 Java java/beanshell-injection BeanShell injection
CWE‑913 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑913 Java java/jshell-injection JShell injection
CWE‑913 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑913 Java java/jython-injection Injection in Jython
CWE‑913 Java java/unsafe-eval Injection in Java Script Engine
CWE‑913 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑913 Java java/spring-view-manipulation Spring View Manipulation
CWE‑913 Java java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE‑913 Java java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE‑913 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑913 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑913 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑913 JavaScript js/template-object-injection Template Object Injection
CWE‑913 JavaScript js/code-injection Code injection
CWE‑913 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑913 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑913 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑913 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑913 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑913 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑913 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑913 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑913 Python py/code-injection Code injection
CWE‑913 Python py/unsafe-deserialization Deserializing untrusted input
CWE‑913 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑913 Default rb/code-injection Code injection
CWE‑913 Default rb/unsafe-deserialization Deserialization of user-controlled data
CWE‑915 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑915 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑915 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑916 Java java/hash-without-salt Use of a hash function without a salt
CWE‑916 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑916 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑917 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑918 C# cs/request-forgery Server-side request forgery
CWE‑918 Java java/ssrf Server-side request forgery
CWE‑918 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑918 JavaScript js/request-forgery Server-side request forgery
CWE‑918 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑918 Python py/full-ssrf Full server-side request forgery
CWE‑918 Python py/partial-ssrf Partial server-side request forgery
CWE‑918 Default go/request-forgery Uncontrolled data used in network request
CWE‑918 Default go/ssrf Uncontrolled data used in network request
CWE‑918 Default rb/request-forgery Server-side request forgery
CWE‑922 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑922 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑922 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑922 C# cs/password-in-configuration Password in configuration file
CWE‑922 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑922 Java java/android/backup-enabled Application backup allowed
CWE‑922 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑922 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑922 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑922 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑922 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑922 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑922 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑922 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑922 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑922 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑922 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑922 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑922 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑922 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑922 Default rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑922 Default rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑923 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑923 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑923 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑923 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑923 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑923 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑923 Java java/android/intent-redirection Android Intent redirection
CWE‑923 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑923 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑923 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑923 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑923 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑923 Default go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑923 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑923 Default rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑925 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑926 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑926 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑926 Java java/android/intent-redirection Android Intent redirection
CWE‑927 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑927 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑939 Java java/incorrect-url-verification Incorrect URL verification
CWE‑940 Java java/android/intent-redirection Android Intent redirection
CWE‑940 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑942 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑942 Default go/cors-misconfiguration CORS misconfiguration
CWE‑943 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑943 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑943 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑943 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑943 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑943 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑943 C# cs/xml/xpath-injection XPath injection
CWE‑943 Java java/sql-injection Query built from user-controlled sources
CWE‑943 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑943 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑943 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑943 Java java/xml/xpath-injection XPath injection
CWE‑943 Java java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE‑943 Java java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE‑943 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑943 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑943 JavaScript js/xpath-injection XPath injection
CWE‑943 Python py/sql-injection SQL query built from user-controlled sources
CWE‑943 Python py/ldap-injection LDAP query built from user-controlled sources
CWE‑943 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑943 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑943 Python py/nosql-injection NoSQL Injection
CWE‑943 Default go/sql-injection Database query built from user-controlled sources
CWE‑943 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑943 Default go/xml/xpath-injection XPath injection
CWE‑943 Default go/ldap-injection LDAP query built from user-controlled sources
CWE‑943 Default rb/sql-injection SQL query built from user-controlled sources
CWE‑1004 C# cs/web/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
CWE‑1004 Java java/tomcat-disabled-httponly Tomcat config disables 'HttpOnly' flag (XSS risk)
CWE‑1004 Java java/sensitive-cookie-not-httponly Sensitive cookies without the HttpOnly response header set
CWE‑1004 JavaScript js/client-exposed-cookie Sensitive server cookie exposed to the client
CWE‑1004 Default go/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
CWE‑1022 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑1041 C++ cpp/call-to-function-without-wrapper Missed opportunity to call wrapper function
CWE‑1104 Java java/maven/dependency-upon-bintray Depending upon JCenter/Bintray as an artifact repository
CWE‑1126 C++ cpp/errors-when-using-variable-declaration-inside-loop Errors When Using Variable Declaration Inside Loop
CWE‑1176 JavaScript js/angular/double-compilation Double compilation
CWE‑1204 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑1236 Python py/csv-injection Csv Injection
CWE‑1275 JavaScript js/samesite-none-cookie Sensitive cookie without SameSite restrictions
CWE‑1275 Default rb/weak-cookie-configuration Weak cookie configuration
CWE‑1333 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE‑1333 Java java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 Java java/redos Inefficient regular expression
CWE‑1333 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 JavaScript js/redos Inefficient regular expression
CWE‑1333 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 Python py/redos Inefficient regular expression
CWE‑1333 Default rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 Default rb/redos Inefficient regular expression
CWE‑1333 Default rb/regexp-injection Regular expression injection
CWE‑1336 Java java/server-side-template-injection Server-side template injection
  • © GitHub, Inc.
  • Terms
  • Privacy